From valery.fauconnier at atosorigin.com Tue Apr 1 14:07:57 2008 From: valery.fauconnier at atosorigin.com (FAUCONNIER Valery AWL-IT) Date: Tue, 1 Apr 2008 16:07:57 +0200 Subject: [Fedora-directory-users] Problem to reset password Message-ID: <8B50AA62C37CB448A36B5076F9AB0E380122F28B@eri.winad.be> I installed fedora-ds to authenticate users. the authentication on our servers seems to work fine but there's wrong with the password policies and specificaly with the password change enforcing. I would like to enforce our users to change their password at first logon (or after a reset of the password) All what I get is a "Change After Reset" string appering on the terminal. nothing else is prompted and the session is disconnected . Does anyone can help about this issue? Atos Worldline SA/NV - Chaussee de Haecht 1442 Haachtsesteenweg - 1130 Brussels - Belgium RPM-RPR Bruxelles-Brussel - TVA-BTW BE 0418.547.872 Bankrekening-Compte Bancaire-Bank Account 310-0269424-44 BIC BBRUBEBB - IBAN BE55 3100 2694 2444 "The information contained in this e-mail and any attachment thereto is confidential and may contain information which is protected by intellectual property rights. This information is intended for the exclusive use of the recipient(s) named above. This e-mail does not constitute any binding relationship or offer toward any of the addressees. If you are not one of the addressees , one of their employees or a proxy holder entitled to hand over this message to the addressee(s), any use of the information contained herein (e.g. reproduction, divulgation, communication or distribution,...) is prohibited. If you have received this message in error, please notify the sender and destroy it immediately after. The integrity and security of this message cannot be guaranteed and it may be subject to data corruption, interception and unauthorized amendment, for which we accept no liability." -------------- next part -------------- An HTML attachment was scrubbed... URL: From iferreir at personal.com.py Tue Apr 1 16:47:43 2008 From: iferreir at personal.com.py (Ivan Ferreira) Date: Tue, 1 Apr 2008 12:47:43 -0400 Subject: [Fedora-directory-users] Problem to reset password In-Reply-To: <8B50AA62C37CB448A36B5076F9AB0E380122F28B@eri.winad.be> Message-ID: If you are connecting via SSH, try changing the UsePrivilegeSeparation parameter. Para "FAUCONNIER Valery cc AWL-IT" [Fedora-directory-users] Problem Enviado por: to reset password fedora-directory-users-b Clasificaci?n ounces at redhat.com Uso Interno 01/04/2008 10:07 a.m. Por favor, responda a "General discussion list for the Fedora Directory server project." I installed fedora-ds to authenticate users. the authentication on our servers seems to work fine but there's wrong with the password policies and specificaly with the password change enforcing. I would like to enforce our users to change their password at first logon (or after a reset of the password) All what I get is a "Change After Reset" string appering on the terminal. nothing else is prompted and the session is disconnected . Does anyone can help about this issue? Atos Worldline SA/NV - Chaussee de Haecht 1442 Haachtsesteenweg - 1130 Brussels - Belgium RPM-RPR Bruxelles-Brussel - TVA-BTW BE 0418.547.872 Bankrekening-Compte Bancaire-Bank Account 310-0269424-44 BIC BBRUBEBB - IBAN BE55 3100 2694 2444 "The information contained in this e-mail and any attachment thereto is confidential and may contain information which is protected by intellectual property rights. This information is intended for the exclusive use of the recipient(s) named above. This e-mail does not constitute any binding relationship or offer toward any of the addressees. If you are not one of the addressees , one of their employees or a proxy holder entitled to hand over this message to the addressee(s), any use of the information contained herein (e.g. reproduction, divulgation, communication or distribution,...) is prohibited. If you have received this message in error, please notify the sender and destroy it immediately after. The integrity and security of this message cannot be guaranteed and it may be subject to data corruption, interception and unauthorized amendment, for which we accept no liability."-- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From beyonddc.storage at gmail.com Tue Apr 1 18:27:28 2008 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Tue, 1 Apr 2008 14:27:28 -0400 Subject: [Fedora-directory-users] openldap ldapdelete command output - "Critical extension is unavailable" Message-ID: <20e4c38c0804011127i37c7a319j38bd8a473359e787@mail.gmail.com> Hi, I am not sure if this should belong to the openldap mailing list or here, but I will try here first since I'm using Fedora DS. I have "openldap-clients.i386 version 2.3.27-8" binary package installed, and using it to talk to Fedora-DS 1.0.2. I use ldapmodify to import data into the ldap server. The command I use is ldapmodify -h -p -D "cn=Directory Manager" -w -f ./data.ldif -x And the data looks like this ou=test1,dc=sandbox,dc=com ou=test11,ou=test1,dc=sandbox,dc=com ou=test12,ou=test1,dc=sandbox,dc=com ou=test13,ou=test1,dc=sandbox,dc=com I then use ldapdelete to recursively delete all data. The command I use is ldapdelete -h -p -D "cn=Directory Manager" -w -f ./delete.ldif -x -r -v And the delete.ldif looks like this ou=test1,dc=sandbox,dc=com When I ran the ldapdelete command, it prints out this deleting entry "ou=test1,dc=sandbox,dc=com" deleting children of: ou=test1,dc=sandbox,dc=com ldap_search: Critical extension is unavailable (12) The deletion did succeeded, but I just couldn't figure out why it prints out "Critical extension is unavailable". This only happen when I start using openldap-client 2.3.27-8. It didn't happen when I use openldap-clients-2.2.13-3. Any idea why it prints out "Critical extension is unavailable"? Thanks, David -------------- next part -------------- An HTML attachment was scrubbed... URL: From ando at sys-net.it Tue Apr 1 18:36:15 2008 From: ando at sys-net.it (Pierangelo Masarati) Date: Tue, 01 Apr 2008 20:36:15 +0200 Subject: [Fedora-directory-users] openldap ldapdelete command output - "Critical extension is unavailable" In-Reply-To: <20e4c38c0804011127i37c7a319j38bd8a473359e787@mail.gmail.com> References: <20e4c38c0804011127i37c7a319j38bd8a473359e787@mail.gmail.com> Message-ID: <47F2809F.4070503@sys-net.it> Chun Tat David Chu wrote: > Hi, > > I am not sure if this should belong to the openldap mailing list or here, > but I will try here first since I'm using Fedora DS. > > I have "openldap-clients.i386 version 2.3.27-8" binary package installed, > and using it to talk to Fedora-DS 1.0.2. > > I use ldapmodify to import data into the ldap server. > The command I use is > ldapmodify -h -p -D "cn=Directory Manager" -w -f > ./data.ldif -x > And the data looks like this > ou=test1,dc=sandbox,dc=com > ou=test11,ou=test1,dc=sandbox,dc=com > ou=test12,ou=test1,dc=sandbox,dc=com > ou=test13,ou=test1,dc=sandbox,dc=com > > I then use ldapdelete to recursively delete all data. > The command I use is > ldapdelete -h -p -D "cn=Directory Manager" -w -f > ./delete.ldif -x -r -v > And the delete.ldif looks like this > ou=test1,dc=sandbox,dc=com > > When I ran the ldapdelete command, it prints out this > deleting entry "ou=test1,dc=sandbox,dc=com" > deleting children of: ou=test1,dc=sandbox,dc=com > ldap_search: Critical extension is unavailable (12) > > The deletion did succeeded, but I just couldn't figure out why it prints out > "Critical extension is unavailable". > > This only happen when I start using openldap-client 2.3.27-8. It didn't > happen when I use openldap-clients-2.2.13-3. > > Any idea why it prints out "Critical extension is unavailable"? OpenLDAP's ldapdelete was modified to be able to remove a subentry related to replication that was used at some point within syncrepl. However, that code erroneously assumed that the database being deleted always supported subentries, which wasn't true even for OpenLDAP itself. It was fixed as ITS#5293 in 2.4.8, but it hasn't been fixed in the 2.3 series. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati at sys-net.it --------------------------------------- From beyonddc.storage at gmail.com Tue Apr 1 18:42:29 2008 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Tue, 1 Apr 2008 14:42:29 -0400 Subject: [Fedora-directory-users] openldap ldapdelete command output - "Critical extension is unavailable" In-Reply-To: <47F2809F.4070503@sys-net.it> References: <20e4c38c0804011127i37c7a319j38bd8a473359e787@mail.gmail.com> <47F2809F.4070503@sys-net.it> Message-ID: <20e4c38c0804011142x39fc9e01j6a50c300667f2c72@mail.gmail.com> Thanks for the info. - dc On Tue, Apr 1, 2008 at 2:36 PM, Pierangelo Masarati wrote: > Chun Tat David Chu wrote: > > Hi, > > > > I am not sure if this should belong to the openldap mailing list or > here, > > but I will try here first since I'm using Fedora DS. > > > > I have "openldap-clients.i386 version 2.3.27-8" binary package > installed, > > and using it to talk to Fedora-DS 1.0.2. > > > > I use ldapmodify to import data into the ldap server. > > The command I use is > > ldapmodify -h -p -D "cn=Directory Manager" -w -f > > ./data.ldif -x > > And the data looks like this > > ou=test1,dc=sandbox,dc=com > > ou=test11,ou=test1,dc=sandbox,dc=com > > ou=test12,ou=test1,dc=sandbox,dc=com > > ou=test13,ou=test1,dc=sandbox,dc=com > > > > I then use ldapdelete to recursively delete all data. > > The command I use is > > ldapdelete -h -p -D "cn=Directory Manager" -w -f > > ./delete.ldif -x -r -v > > And the delete.ldif looks like this > > ou=test1,dc=sandbox,dc=com > > > > When I ran the ldapdelete command, it prints out this > > deleting entry "ou=test1,dc=sandbox,dc=com" > > deleting children of: ou=test1,dc=sandbox,dc=com > > ldap_search: Critical extension is unavailable (12) > > > > The deletion did succeeded, but I just couldn't figure out why it prints > out > > "Critical extension is unavailable". > > > > This only happen when I start using openldap-client 2.3.27-8. It didn't > > happen when I use openldap-clients-2.2.13-3. > > > > Any idea why it prints out "Critical extension is unavailable"? > > OpenLDAP's ldapdelete was modified to be able to remove a subentry > related to replication that was used at some point within syncrepl. > However, that code erroneously assumed that the database being deleted > always supported subentries, which wasn't true even for OpenLDAP itself. > It was fixed as ITS#5293 in > 2.4.8, but it hasn't been fixed in the 2.3 series. > > p. > > > > Ing. Pierangelo Masarati > OpenLDAP Core Team > > SysNet s.r.l. > via Dossi, 8 - 27100 Pavia - ITALIA > http://www.sys-net.it > --------------------------------------- > Office: +39 02 23998309 > Mobile: +39 333 4963172 > Email: pierangelo.masarati at sys-net.it > --------------------------------------- > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Apr 1 19:38:01 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 01 Apr 2008 13:38:01 -0600 Subject: [Fedora-directory-users] SSL In-Reply-To: References: <47F125FC.9010904@redhat.com> Message-ID: <47F28F19.3070804@redhat.com> certutil -L -d /etc/dirsrv/slapd-instance certutil -L -d /etc/dirsrv/admin-serv Anand Vaddarapu wrote: > Hi, > > ls -al ~/.fedora-idm-console/ > total 12 > drwxr-xr-x 2 root root 4096 Feb 26 08:46 . > drwxr-x--- 12 root root 4096 Mar 26 16:10 .. > > > certutil -L -d ~/.fedora-idm-console/ > certutil: function failed: security library: bad database. > > Thanks > > > > > On Tue, Apr 1, 2008 at 4:57 AM, Rich Megginson > wrote: > > Anand Vaddarapu wrote: > > Hi, > > > > After enabling SSL with console using the procedure > > > _http://directory.fedoraproject.org/wiki/Howto:SSL#Console_SSL_Information_ > > i am getting these following error messages when i am trying to > login > > into directory server in the console. SSL is enabled in both the > admin > > console & the Ldap server > > > > From logs: > > [27/Mar/2008:14:56:24 +1100] conn=47 fd=66 slot=66 SSL connection > > from 10.50.5.81 to > 10.50.1.24 > > [27/Mar/2008:14:56:24 +1100] conn=47 op=-1 fd=66 closed - SSL peer > > cannot verify your certificate. > ls -al ~/.fedora-idm-console > certutil -L -d ~/.fedora-idm-console > > > > we are these when starting the Ldap server > > > > 27/Mar/2008:14:45:04 +1100] - attrcrypt_unwrap_key: failed to unwrap > > key for cipher AES > > [27/Mar/2008:14:45:04 +1100] - Failed to retrieve key for cipher AES > > in attrcrypt_cipher_init > > [27/Mar/2008:14:45:04 +1100] - Failed to initialize cipher AES in > > attrcrypt_init > > [27/Mar/2008:14:45:04 +1100] - attrcrypt_unwrap_key: failed to > unwrap > > key for cipher AES > > [27/Mar/2008:14:45:04 +1100] - Failed to retrieve key for cipher AES > > in attrcrypt_cipher_init > > [27/Mar/2008:14:45:04 +1100] - Failed to initialize cipher AES in > > attrcrypt_init > > [27/Mar/2008:14:45:05 +1100] - slapd started. Listening on All > > Interfaces port 389 for LDAP requests > > [27/Mar/2008:14:45:05 +1100] - Listening on All Interfaces port 636 > > for LDAPS requests > > > > > > > > Console error message: > > > > netscape.ldap.LDAPException:JSSSocketFactory.makeSocket > > devil.wcg.net.au:636 > , SSL_ForceHandshake > > failed: (-8054) unknown error (91) > > > > Help Appreciated. > > > > Thanks > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From vaddarapu at gmail.com Tue Apr 1 21:58:55 2008 From: vaddarapu at gmail.com (Anand Vaddarapu) Date: Wed, 2 Apr 2008 08:58:55 +1100 Subject: [Fedora-directory-users] SSL In-Reply-To: <47F28F19.3070804@redhat.com> References: <47F125FC.9010904@redhat.com> <47F28F19.3070804@redhat.com> Message-ID: Hi, #certutil -L -d /etc/dirsrv/slapd-instance CA certificate CTu,u,u server-cert u,u,u Server-Cert u,u,u #certutil -L -d /etc/dirsrv/admin-serv CA certificate CTu,u,u server-cert u,u,u Server-Cert u,u,u Thanks On Wed, Apr 2, 2008 at 6:38 AM, Rich Megginson wrote: > certutil -L -d /etc/dirsrv/slapd-instance > certutil -L -d /etc/dirsrv/admin-serv > > Anand Vaddarapu wrote: > > Hi, > > > > ls -al ~/.fedora-idm-console/ > > total 12 > > drwxr-xr-x 2 root root 4096 Feb 26 08:46 . > > drwxr-x--- 12 root root 4096 Mar 26 16:10 .. > > > > > > certutil -L -d ~/.fedora-idm-console/ > > certutil: function failed: security library: bad database. > > > > Thanks > > > > > > > > > > On Tue, Apr 1, 2008 at 4:57 AM, Rich Megginson > > wrote: > > > > Anand Vaddarapu wrote: > > > Hi, > > > > > > After enabling SSL with console using the procedure > > > > > > _http://directory.fedoraproject.org/wiki/Howto:SSL#Console_SSL_Information_ > > > i am getting these following error messages when i am trying to > > login > > > into directory server in the console. SSL is enabled in both the > > admin > > > console & the Ldap server > > > > > > From logs: > > > [27/Mar/2008:14:56:24 +1100] conn=47 fd=66 slot=66 SSL connection > > > from 10.50.5.81 to > > 10.50.1.24 > > > [27/Mar/2008:14:56:24 +1100] conn=47 op=-1 fd=66 closed - SSL peer > > > cannot verify your certificate. > > ls -al ~/.fedora-idm-console > > certutil -L -d ~/.fedora-idm-console > > > > > > we are these when starting the Ldap server > > > > > > 27/Mar/2008:14:45:04 +1100] - attrcrypt_unwrap_key: failed to > unwrap > > > key for cipher AES > > > [27/Mar/2008:14:45:04 +1100] - Failed to retrieve key for cipher > AES > > > in attrcrypt_cipher_init > > > [27/Mar/2008:14:45:04 +1100] - Failed to initialize cipher AES in > > > attrcrypt_init > > > [27/Mar/2008:14:45:04 +1100] - attrcrypt_unwrap_key: failed to > > unwrap > > > key for cipher AES > > > [27/Mar/2008:14:45:04 +1100] - Failed to retrieve key for cipher > AES > > > in attrcrypt_cipher_init > > > [27/Mar/2008:14:45:04 +1100] - Failed to initialize cipher AES in > > > attrcrypt_init > > > [27/Mar/2008:14:45:05 +1100] - slapd started. Listening on All > > > Interfaces port 389 for LDAP requests > > > [27/Mar/2008:14:45:05 +1100] - Listening on All Interfaces port > 636 > > > for LDAPS requests > > > > > > > > > > > > Console error message: > > > > > > netscape.ldap.LDAPException:JSSSocketFactory.makeSocket > > > devil.wcg.net.au:636 > > , SSL_ForceHandshake > > > failed: (-8054) unknown error (91) > > > > > > Help Appreciated. > > > > > > Thanks > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From valery.fauconnier at atosorigin.com Wed Apr 2 07:56:29 2008 From: valery.fauconnier at atosorigin.com (FAUCONNIER Valery AWL-IT) Date: Wed, 2 Apr 2008 09:56:29 +0200 Subject: [Fedora-directory-users] Problem to reset password In-Reply-To: Message-ID: <8B50AA62C37CB448A36B5076F9AB0E380122F28D@eri.winad.be> I modified UsePrivilegeSeparation parameter but I still have the message and a disconnection. I can avoid this by modifying the pam configuration in sytem-auth file : replace : account required /lib/security/$ISA/pam_unix.so broken_shadow by : account sufficient /lib/security/$ISA/pam_unix.so broken_shadow With this change, that works but I'm directly connected without a prompt to change my password. Is there something wrong with pam_unix or pam_ldap configuration? This was already posted as "pam_ldap and password policy" there is no answer. https://www.redhat.com/archives/fedora-directory-users/2005-June/msg00184.html any ideas? -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Ivan Ferreira Sent: Tuesday 1 April 2008 18:48 To: General discussion list for the Fedora Directory server project. Cc: fedora-directory-users at redhat.com; fedora-directory-users-bounces at redhat.com Subject: Re: [Fedora-directory-users] Problem to reset password If you are connecting via SSH, try changing the UsePrivilegeSeparation parameter. Para "FAUCONNIER Valery cc AWL-IT" [Fedora-directory-users] Problem Enviado por: to reset password fedora-directory-users-b Clasificaci?n ounces at redhat.com Uso Interno 01/04/2008 10:07 a.m. Por favor, responda a "General discussion list for the Fedora Directory server project." I installed fedora-ds to authenticate users. the authentication on our servers seems to work fine but there's wrong with the password policies and specificaly with the password change enforcing. I would like to enforce our users to change their password at first logon (or after a reset of the password) All what I get is a "Change After Reset" string appering on the terminal. nothing else is prompted and the session is disconnected . Does anyone can help about this issue? Atos Worldline SA/NV - Chaussee de Haecht 1442 Haachtsesteenweg - 1130 Brussels - Belgium RPM-RPR Bruxelles-Brussel - TVA-BTW BE 0418.547.872 Bankrekening-Compte Bancaire-Bank Account 310-0269424-44 BIC BBRUBEBB - IBAN BE55 3100 2694 2444 "The information contained in this e-mail and any attachment thereto is confidential and may contain information which is protected by intellectual property rights. This information is intended for the exclusive use of the recipient(s) named above. This e-mail does not constitute any binding relationship or offer toward any of the addressees. If you are not one of the addressees , one of their employees or a proxy holder entitled to hand over this message to the addressee(s), any use of the information contained herein (e.g. reproduction, divulgation, communication or distribution,...) is prohibited. If you have received this message in error, please notify the sender and destroy it immediately after. The integrity and security of this message cannot be guaranteed and it may be subject to data corruption, interception and unauthorized amendment, for which we accept no liability."-- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From valery.fauconnier at atosorigin.com Wed Apr 2 08:49:56 2008 From: valery.fauconnier at atosorigin.com (FAUCONNIER Valery AWL-IT) Date: Wed, 2 Apr 2008 10:49:56 +0200 Subject: [Fedora-directory-users] Problem to reset password In-Reply-To: Message-ID: <8B50AA62C37CB448A36B5076F9AB0E380122F28E@eri.winad.be> I tried to logon on a fc8 workstation and it works fine. However all my production servers are RHAS4.4 ... Is there an issue with pam_unix module? -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Ivan Ferreira Sent: Tuesday 1 April 2008 18:48 To: General discussion list for the Fedora Directory server project. Cc: fedora-directory-users at redhat.com; fedora-directory-users-bounces at redhat.com Subject: Re: [Fedora-directory-users] Problem to reset password If you are connecting via SSH, try changing the UsePrivilegeSeparation parameter. Para "FAUCONNIER Valery cc AWL-IT" [Fedora-directory-users] Problem Enviado por: to reset password fedora-directory-users-b Clasificaci?n ounces at redhat.com Uso Interno 01/04/2008 10:07 a.m. Por favor, responda a "General discussion list for the Fedora Directory server project." I installed fedora-ds to authenticate users. the authentication on our servers seems to work fine but there's wrong with the password policies and specificaly with the password change enforcing. I would like to enforce our users to change their password at first logon (or after a reset of the password) All what I get is a "Change After Reset" string appering on the terminal. nothing else is prompted and the session is disconnected . Does anyone can help about this issue? Atos Worldline SA/NV - Chaussee de Haecht 1442 Haachtsesteenweg - 1130 Brussels - Belgium RPM-RPR Bruxelles-Brussel - TVA-BTW BE 0418.547.872 Bankrekening-Compte Bancaire-Bank Account 310-0269424-44 BIC BBRUBEBB - IBAN BE55 3100 2694 2444 "The information contained in this e-mail and any attachment thereto is confidential and may contain information which is protected by intellectual property rights. This information is intended for the exclusive use of the recipient(s) named above. This e-mail does not constitute any binding relationship or offer toward any of the addressees. If you are not one of the addressees , one of their employees or a proxy holder entitled to hand over this message to the addressee(s), any use of the information contained herein (e.g. reproduction, divulgation, communication or distribution,...) is prohibited. If you have received this message in error, please notify the sender and destroy it immediately after. The integrity and security of this message cannot be guaranteed and it may be subject to data corruption, interception and unauthorized amendment, for which we accept no liability."-- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From alan.orlic at zd-lj.si Wed Apr 2 11:49:40 2008 From: alan.orlic at zd-lj.si (=?UTF-8?B?QWxhbiBPcmxpxI0gQmVsxaFhaw==?=) Date: Wed, 02 Apr 2008 13:49:40 +0200 Subject: [Fedora-directory-users] Group membership In-Reply-To: <528FB5ADEC6FFC4280A0210B617D32DD0879A4@dfdsvw002.texturallc.net> References: <20e4c38c0803281153v728d1ddfu2cc6c708e1541423@mail.gmail.com> <7020fd000803281629l65fb05b5w38a90c1cf1e8f539@mail.gmail.com> <528FB5ADEC6FFC4280A0210B617D32DD0879A4@dfdsvw002.texturallc.net> Message-ID: <47F372D4.2070003@zd-lj.si> Hello, I'm using LDAP Admin for administering our user database and found out something strange, if I add user to group via group properties, the permisions of that group aren't effective, but if I add group to that user (via user properties), those permisions are effective. Any ideas why? Looks like Samba and eGroupware are checking only users and not groups. Bye, alan From jheenan at fairfaxmedia.com.au Wed Apr 2 07:01:02 2008 From: jheenan at fairfaxmedia.com.au (Joel Heenan) Date: Wed, 2 Apr 2008 18:01:02 +1100 Subject: [Fedora-directory-users] 2xMulti-Masters Replicating to 2xDedicated Consumers Message-ID: <8BED0ADCE0100241A8DD768706A2295CBFD29A@EXCHDP3.ffx.jfh.com.au> Fedora Directory List, I have two Multi-Master replicated servers at our main datacentre replicating between each other. I also have two Dedicated Consumers at our DR site receiving updates. Both Dedicated Consumers receive updates from both Multi-Masters (this is incase one of the Multi-Masters dies for whatever reason). It works - and seems to work well. I imagine in a true DR situation I would change both Dedicated Consumers to be Multi-Masters and set them up to replicate between themselves. My question is - am I following conventional wisdom and best practice by forming this setup arrangement? Thanks Joel The information contained in this e-mail message and any accompanying files is or may be confidential. If you are not the intended recipient, any use, dissemination, reliance, forwarding, printing or copying of this e-mail or any attached files is unauthorised. This e-mail is subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If you have received this e-mail in error please advise the sender immediately by return e-mail or telephone and delete all copies. Fairfax does not guarantee the accuracy or completeness of any information contained in this e-mail or attached files. Internet communications are not secure, therefore Fairfax does not accept legal responsibility for the contents of this message or attached files. -------------- next part -------------- An HTML attachment was scrubbed... URL: From solarflow99 at gmail.com Wed Apr 2 13:35:26 2008 From: solarflow99 at gmail.com (solarflow99) Date: Wed, 2 Apr 2008 14:35:26 +0100 Subject: [Fedora-directory-users] Group membership In-Reply-To: <47F372D4.2070003@zd-lj.si> References: <20e4c38c0803281153v728d1ddfu2cc6c708e1541423@mail.gmail.com> <7020fd000803281629l65fb05b5w38a90c1cf1e8f539@mail.gmail.com> <528FB5ADEC6FFC4280A0210B617D32DD0879A4@dfdsvw002.texturallc.net> <47F372D4.2070003@zd-lj.si> Message-ID: <7020fd000804020635r1b31c4dch8cf60c3eed131dc6@mail.gmail.com> I use ldapadmin too, and reported a few bugs but I didn't notice this one. I see that once you add a user to a group, all it does is add a MemberUID attribute to the group, so I don't think it should matter either way. I just tested this with samba, and it seems to work for me, however i'm just using workgroups, not PDC ot ADS. The only thing I can think of is the ldap group directive in smb.conf. ldap group suffix = ou=Groups On 4/2/08, Alan Orli? Bel?ak wrote: > > Hello, > > I'm using LDAP Admin for administering our user database and found out > something strange, if I add user to group via group properties, the > permisions of that group aren't effective, but if I add group to that user > (via user properties), those permisions are effective. Any ideas why? Looks > like Samba and eGroupware are checking only users and not groups. > > Bye, alan > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.orlic at zd-lj.si Thu Apr 3 04:29:26 2008 From: alan.orlic at zd-lj.si (=?ISO-8859-2?Q?Alan_Orli=E8_Bel=B9ak?=) Date: Thu, 03 Apr 2008 06:29:26 +0200 Subject: [Fedora-directory-users] Group membership In-Reply-To: <7020fd000804020635r1b31c4dch8cf60c3eed131dc6@mail.gmail.com> References: <20e4c38c0803281153v728d1ddfu2cc6c708e1541423@mail.gmail.com> <7020fd000803281629l65fb05b5w38a90c1cf1e8f539@mail.gmail.com> <528FB5ADEC6FFC4280A0210B617D32DD0879A4@dfdsvw002.texturallc.net> <47F372D4.2070003@zd-lj.si> <7020fd000804020635r1b31c4dch8cf60c3eed131dc6@mail.gmail.com> Message-ID: <47F45D26.2050808@zd-lj.si> Thanks for the answer, found out that if I add user to group via group properties, LDAPAdmin put it in under attribute member, and if I add user to group via user properties, it add user under attribute memberUid. Is it possible somehow to say that member is equal to memberUid or how to persuade LDAPAdmin to put users directly under memberUid attribute? Bye, Alan solarflow99 pravi: > I use ldapadmin too, and reported a few bugs but I didn't notice this > one. I see that once you add a user to a group, all it does is add a > MemberUid attribute to the group, so I don't think it should matter > either way. I just tested this with samba, and it seems to work for > me, however i'm just using workgroups, not PDC ot ADS. The only thing > I can think of is the ldap group directive in smb.conf. > > ldap group suffix = ou=Groups > > > > > > On 4/2/08, *Alan Orli? Bel?ak* > wrote: > > Hello, > > I'm using LDAP Admin for administering our user database and > found out something strange, if I add user to group via group > properties, the permisions of that group aren't effective, but if > I add group to that user (via user properties), those permisions > are effective. Any ideas why? Looks like Samba and eGroupware are > checking only users and not groups. > > Bye, alan > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From solarflow99 at gmail.com Thu Apr 3 09:07:16 2008 From: solarflow99 at gmail.com (solarflow99) Date: Thu, 3 Apr 2008 10:07:16 +0100 Subject: [Fedora-directory-users] Group membership In-Reply-To: <47F45D26.2050808@zd-lj.si> References: <20e4c38c0803281153v728d1ddfu2cc6c708e1541423@mail.gmail.com> <7020fd000803281629l65fb05b5w38a90c1cf1e8f539@mail.gmail.com> <528FB5ADEC6FFC4280A0210B617D32DD0879A4@dfdsvw002.texturallc.net> <47F372D4.2070003@zd-lj.si> <7020fd000804020635r1b31c4dch8cf60c3eed131dc6@mail.gmail.com> <47F45D26.2050808@zd-lj.si> Message-ID: <7020fd000804030207g3cf17b5ei3d5b908ba1f6e3f4@mail.gmail.com> I don't really understand, All that happens for me is the user name is assigned as MemberUid for the groups properties, no matter how I do it. The only exception is for a primary group. http://sourceforge.net/forum/forum.php?thread_id=1987409&forum_id=305548 On 4/3/08, Alan Orli? Bel?ak wrote: > > Thanks for the answer, found out that if I add user to group via group > properties, LDAPAdmin put it in under attribute member, and if I add user to > group via user properties, it add user under attribute memberUid. Is it > possible somehow to say that member is equal to memberUid or how to persuade > LDAPAdmin to put users directly under memberUid attribute? > > Bye, Alan > > solarflow99 pravi: > > > I use ldapadmin too, and reported a few bugs but I didn't notice this > > one. I see that once you add a user to a group, all it does is add a > > MemberUid attribute to the group, so I don't think it should matter either > > way. I just tested this with samba, and it seems to work for me, however > > i'm just using workgroups, not PDC ot ADS. The only thing I can think of is > > the ldap group directive in smb.conf. ldap group suffix = ou=Groups > > > > > > On 4/2/08, *Alan Orli? Bel?ak* > alan.orlic at zd-lj.si>> wrote: > > > > Hello, > > > > I'm using LDAP Admin for administering our user database and > > found out something strange, if I add user to group via group > > properties, the permisions of that group aren't effective, but if > > I add group to that user (via user properties), those permisions > > are effective. Any ideas why? Looks like Samba and eGroupware are > > checking only users and not groups. > > > > Bye, alan > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From maximilianbianco at gmail.com Thu Apr 3 14:50:29 2008 From: maximilianbianco at gmail.com (max bianco) Date: Thu, 3 Apr 2008 10:50:29 -0400 Subject: [Fedora-directory-users] Initial setup Message-ID: I have just installed directory services and run through the initial setup but i am not able to get the console running. I won't bore anyone with all the silly details just yet. I've already found one goof of mine so I am just planning on starting over from scratch. I really just want a pointer to the most up to date how to for initial installation and setup. I was using this : http://directory.fedoraproject.org/wiki/Install_Guide#Installation_Prerequisites Is this still accurate? Is there a better one? I am running F8. Max From valery.fauconnier at atosorigin.com Thu Apr 3 15:02:37 2008 From: valery.fauconnier at atosorigin.com (FAUCONNIER Valery AWL-IT) Date: Thu, 3 Apr 2008 17:02:37 +0200 Subject: [Fedora-directory-users] Initial setup In-Reply-To: Message-ID: <8B50AA62C37CB448A36B5076F9AB0E380122F293@eri.winad.be> 1) start adminserver : /opt/fedora-ds/start-admin 2) start console : /opt/fedora-ds/startconsole -u admin -a http://youserver:yourport/ & where your port is located in /opt/fedora-ds/admin-serv/config/console.conf file -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of max bianco Sent: Thursday 3 April 2008 16:50 To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] Initial setup I have just installed directory services and run through the initial setup but i am not able to get the console running. I won't bore anyone with all the silly details just yet. I've already found one goof of mine so I am just planning on starting over from scratch. I really just want a pointer to the most up to date how to for initial installation and setup. I was using this : http://directory.fedoraproject.org/wiki/Install_Guide#Installation_Prerequisites Is this still accurate? Is there a better one? I am running F8. Max -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users Atos Worldline SA/NV - Chaussee de Haecht 1442 Haachtsesteenweg - 1130 Brussels - Belgium RPM-RPR Bruxelles-Brussel - TVA-BTW BE 0418.547.872 Bankrekening-Compte Bancaire-Bank Account 310-0269424-44 BIC BBRUBEBB - IBAN BE55 3100 2694 2444 "The information contained in this e-mail and any attachment thereto is confidential and may contain information which is protected by intellectual property rights. This information is intended for the exclusive use of the recipient(s) named above. This e-mail does not constitute any binding relationship or offer toward any of the addressees. If you are not one of the addressees , one of their employees or a proxy holder entitled to hand over this message to the addressee(s), any use of the information contained herein (e.g. reproduction, divulgation, communication or distribution,...) is prohibited. If you have received this message in error, please notify the sender and destroy it immediately after. The integrity and security of this message cannot be guaranteed and it may be subject to data corruption, interception and unauthorized amendment, for which we accept no liability." From maximilianbianco at gmail.com Thu Apr 3 15:27:03 2008 From: maximilianbianco at gmail.com (max bianco) Date: Thu, 3 Apr 2008 11:27:03 -0400 Subject: [Fedora-directory-users] Initial setup In-Reply-To: <8B50AA62C37CB448A36B5076F9AB0E380122F293@eri.winad.be> References: <8B50AA62C37CB448A36B5076F9AB0E380122F293@eri.winad.be> Message-ID: On Thu, Apr 3, 2008 at 11:02 AM, FAUCONNIER Valery AWL-IT wrote: > 1) start adminserver : /opt/fedora-ds/start-admin Running as root$/opt/fedora-ds/start-admin -bash: /opt/fedora-ds/start-admin: No such file or directory This is my problem. Since I am not in a hurry i was going to start over but maybe you could tell me why this was not created. I have now found my second goof so I am thinking starting over is a good idea since I am not too deep yet. Any advice appreciated. Max > From rmeggins at redhat.com Thu Apr 3 15:32:09 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 03 Apr 2008 09:32:09 -0600 Subject: [Fedora-directory-users] Initial setup In-Reply-To: References: Message-ID: <47F4F879.9080407@redhat.com> max bianco wrote: > I have just installed directory services and run through the initial > setup but i am not able to get the console running. I won't bore > anyone with all the silly details just yet. I've already found one > goof of mine so I am just planning on starting over from scratch. I > really just want a pointer to the most up to date how to for initial > installation and setup. I was using this : > > http://directory.fedoraproject.org/wiki/Install_Guide#Installation_Prerequisites > Yes, this is current. > > Is this still accurate? Is there a better one? I am running F8. Fedora DS 1.0.4 or Fedora DS 1.1? For 1.1, the basic steps are, assuming a clean system: yum install fedora-ds setup-ds-admin.pl fedora-idm-console -a http://localhost:9830/ > Max > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rnappert at juniper.net Thu Apr 3 16:02:08 2008 From: rnappert at juniper.net (Reinhard Nappert) Date: Thu, 3 Apr 2008 12:02:08 -0400 Subject: [Fedora-directory-users] Is it possible to migrate Berkeley 4.2 (32bit) based directory to 4.2 (64bit) Message-ID: <3525C9833C09ED418C6FD6CD9514668C039377BB@emailwf1.jnpr.net> Hi, Does anyone know, if that works? Thanks, -Reinhard -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Apr 3 16:12:15 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 03 Apr 2008 10:12:15 -0600 Subject: [Fedora-directory-users] Is it possible to migrate Berkeley 4.2 (32bit) based directory to 4.2 (64bit) In-Reply-To: <3525C9833C09ED418C6FD6CD9514668C039377BB@emailwf1.jnpr.net> References: <3525C9833C09ED418C6FD6CD9514668C039377BB@emailwf1.jnpr.net> Message-ID: <47F501DF.1040502@redhat.com> Reinhard Nappert wrote: > > Hi, > > Does anyone know, if that works? > Are you talking about the migration script migrate-ds-admin.pl? If so, then yes. You will first have to export your databases to ldif e.g. for a Fedora DS 1.0.4 installation: cd /opt/fedora-ds/slapd-instance/db ../db2ldif -n userRoot -a `pwd`/userRoot.ldif ../db2ldif -n NetscapeRoot -a `pwd`/NetscapeRoot.ldif ... repeat for each database instance The migration script will look for a file called /opt/fedora-ds/slapd-instance/db/.ldif and use that rather than the binary files. You should also run the migration script with the -x option to force it to use cross platform mode. > > Thanks, > -Reinhard > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rnappert at juniper.net Thu Apr 3 17:21:37 2008 From: rnappert at juniper.net (Reinhard Nappert) Date: Thu, 3 Apr 2008 13:21:37 -0400 Subject: [Fedora-directory-users] Is it possible to migrate Berkeley 4.2(32bit) based directory to 4.2 (64bit) In-Reply-To: <47F501DF.1040502@redhat.com> References: <3525C9833C09ED418C6FD6CD9514668C039377BB@emailwf1.jnpr.net> <47F501DF.1040502@redhat.com> Message-ID: <3525C9833C09ED418C6FD6CD9514668C03937820@emailwf1.jnpr.net> Thanks Rick, You are saying, I have to export it at first. Initially, I just built 1.1 in 32bit mode (with the identical db library). With that, I even was just using the same directory and it worked fine. So, I guess I have to go the export/import way. Cheers, -Reinhard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Thursday, April 03, 2008 12:12 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Is it possible to migrate Berkeley 4.2(32bit) based directory to 4.2 (64bit) Reinhard Nappert wrote: > > Hi, > > Does anyone know, if that works? > Are you talking about the migration script migrate-ds-admin.pl? If so, then yes. You will first have to export your databases to ldif e.g. for a Fedora DS 1.0.4 installation: cd /opt/fedora-ds/slapd-instance/db ../db2ldif -n userRoot -a `pwd`/userRoot.ldif ../db2ldif -n NetscapeRoot -a `pwd`/NetscapeRoot.ldif ... repeat for each database instance The migration script will look for a file called /opt/fedora-ds/slapd-instance/db/.ldif and use that rather than the binary files. You should also run the migration script with the -x option to force it to use cross platform mode. > > Thanks, > -Reinhard > > ---------------------------------------------------------------------- > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Thu Apr 3 17:29:51 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 03 Apr 2008 11:29:51 -0600 Subject: [Fedora-directory-users] Is it possible to migrate Berkeley 4.2(32bit) based directory to 4.2 (64bit) In-Reply-To: <3525C9833C09ED418C6FD6CD9514668C03937820@emailwf1.jnpr.net> References: <3525C9833C09ED418C6FD6CD9514668C039377BB@emailwf1.jnpr.net> <47F501DF.1040502@redhat.com> <3525C9833C09ED418C6FD6CD9514668C03937820@emailwf1.jnpr.net> Message-ID: <47F5140F.3070800@redhat.com> Reinhard Nappert wrote: > Thanks Rick, > > You are saying, I have to export it at first. > > Initially, I just built 1.1 in 32bit mode (with the identical db > library). With that, I even was just using the same directory and it > worked fine. So, I guess I have to go the export/import way. > I'm just really not sure. I don't think we write any longs or other 64-bit values to the database with 1.1. So it may just work and be fine. > Cheers, > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Thursday, April 03, 2008 12:12 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Is it possible to migrate Berkeley > 4.2(32bit) based directory to 4.2 (64bit) > > Reinhard Nappert wrote: > >> Hi, >> >> Does anyone know, if that works? >> >> > Are you talking about the migration script migrate-ds-admin.pl? If so, > then yes. You will first have to export your databases to ldif e.g. for > a Fedora DS 1.0.4 installation: > cd /opt/fedora-ds/slapd-instance/db > ../db2ldif -n userRoot -a `pwd`/userRoot.ldif ../db2ldif -n NetscapeRoot > -a `pwd`/NetscapeRoot.ldif ... repeat for each database instance > > The migration script will look for a file called > /opt/fedora-ds/slapd-instance/db/.ldif and use that > rather than the binary files. > > You should also run the migration script with the -x option to force it > to use cross platform mode. > >> Thanks, >> -Reinhard >> >> ---------------------------------------------------------------------- >> -- >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From richard at powerset.com Thu Apr 3 23:53:01 2008 From: richard at powerset.com (Richard Hesse) Date: Thu, 3 Apr 2008 16:53:01 -0700 Subject: [Fedora-directory-users] Broken MMR - DB_BUFFER_SMALL: User memory too small for return value Message-ID: Scenario: two FDS 1.1 servers in a multi-master setup. Working fine for months without a hiccup (except to upgrade from 1.04) then replication suddenly stops working. Checking the logs, I see this: [03/Apr/2008:23:44:00 +0000] NSMMReplicationPlugin - changelog program - agmt="cn=MM aa0-006-8.u.powerset.com" (aa0-006-8:636): Failed to retrieve change with CSN 47f5710d000000010000; db error - -30999 DB_BUFFER_SMALL: User memory too small for return value How should I go about troubleshooting this? Searching for replication conflicts didn't yield anything useful. I tried running template-cl-dump.pl like the documentation suggested, but I couldn't find it anywhere in /usr/share/dirsrv/script-templates (FC6 system). Thanks. -richard From rnappert at juniper.net Fri Apr 4 13:01:59 2008 From: rnappert at juniper.net (Reinhard Nappert) Date: Fri, 4 Apr 2008 09:01:59 -0400 Subject: [Fedora-directory-users] Is it possible to migrateBerkeley 4.2(32bit) based directory to 4.2 (64bit) In-Reply-To: <47F5140F.3070800@redhat.com> References: <3525C9833C09ED418C6FD6CD9514668C039377BB@emailwf1.jnpr.net> <47F501DF.1040502@redhat.com><3525C9833C09ED418C6FD6CD9514668C03937820@emailwf1.jnpr.net> <47F5140F.3070800@redhat.com> Message-ID: <3525C9833C09ED418C6FD6CD9514668C03937A22@emailwf1.jnpr.net> Rick, It looks like it is ok just using the same old data and point to the db directory. However, I experienced one hick-up. During the migration of the config data (dse.ldif) within migrate-ds.pl, the migration of the nsstate attribute for the uniqueid generator fails. When starting the directory, I get: [03/Apr/2008:15:46:26 -0400] uuid - read_state: failed to get generator's state [03/Apr/2008:15:46:26 -0400] uuid - uuid_init: failed to get generator's state [03/Apr/2008:15:46:26 -0400] uniqueid generator - uniqueIDGenInit: generator ini tialization failed Do you have any idea? -Reinhard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Thursday, April 03, 2008 1:30 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Is it possible to migrateBerkeley 4.2(32bit) based directory to 4.2 (64bit) Reinhard Nappert wrote: > Thanks Rick, > > You are saying, I have to export it at first. > > Initially, I just built 1.1 in 32bit mode (with the identical db > library). With that, I even was just using the same directory and it > worked fine. So, I guess I have to go the export/import way. > I'm just really not sure. I don't think we write any longs or other 64-bit values to the database with 1.1. So it may just work and be fine. > Cheers, > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Thursday, April 03, 2008 12:12 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Is it possible to migrate > Berkeley > 4.2(32bit) based directory to 4.2 (64bit) > > Reinhard Nappert wrote: > >> Hi, >> >> Does anyone know, if that works? >> >> > Are you talking about the migration script migrate-ds-admin.pl? If > so, then yes. You will first have to export your databases to ldif > e.g. for a Fedora DS 1.0.4 installation: > cd /opt/fedora-ds/slapd-instance/db > ../db2ldif -n userRoot -a `pwd`/userRoot.ldif ../db2ldif -n > NetscapeRoot -a `pwd`/NetscapeRoot.ldif ... repeat for each database > instance > > The migration script will look for a file called > /opt/fedora-ds/slapd-instance/db/.ldif and use that > rather than the binary files. > > You should also run the migration script with the -x option to force > it to use cross platform mode. > >> Thanks, >> -Reinhard >> >> --------------------------------------------------------------------- >> - >> -- >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From doug.jantz at texturallc.net Thu Apr 3 21:19:11 2008 From: doug.jantz at texturallc.net (Doug Jantz) Date: Thu, 3 Apr 2008 16:19:11 -0500 Subject: [Fedora-directory-users] LDAP - AD Communication. In-Reply-To: <47F5140F.3070800@redhat.com> References: <3525C9833C09ED418C6FD6CD9514668C039377BB@emailwf1.jnpr.net> <47F501DF.1040502@redhat.com><3525C9833C09ED418C6FD6CD9514668C03937820@emailwf1.jnpr.net> <47F5140F.3070800@redhat.com> Message-ID: <528FB5ADEC6FFC4280A0210B617D32DD4362B1@dfdsvw002.texturallc.net> I have my FDS set up, and communicating with an Active directory server. I have the CA cert installed, and a server cert for my server installed, and have begun replication. SSL has been turned on under replication- userroot- contract name... The problem is that I'm syncing users but not passwords under a simple authentication, and when I turn on SSL authentication, I'm getting an LDAP error 7. Does anyone have an idea of where to start looking to see where I have gone wrong? Any help appreciated. From rmeggins at redhat.com Fri Apr 4 14:19:21 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 04 Apr 2008 08:19:21 -0600 Subject: [Fedora-directory-users] Is it possible to migrateBerkeley 4.2(32bit) based directory to 4.2 (64bit) In-Reply-To: <3525C9833C09ED418C6FD6CD9514668C03937A22@emailwf1.jnpr.net> References: <3525C9833C09ED418C6FD6CD9514668C039377BB@emailwf1.jnpr.net> <47F501DF.1040502@redhat.com><3525C9833C09ED418C6FD6CD9514668C03937820@emailwf1.jnpr.net> <47F5140F.3070800@redhat.com> <3525C9833C09ED418C6FD6CD9514668C03937A22@emailwf1.jnpr.net> Message-ID: <47F638E9.90609@redhat.com> Reinhard Nappert wrote: > Rick, > > It looks like it is ok just using the same old data and point to the db > directory. However, I experienced one hick-up. During the migration of > the config data (dse.ldif) within migrate-ds.pl, the migration of the > nsstate attribute for the uniqueid generator fails. When starting the > directory, I get: > [03/Apr/2008:15:46:26 -0400] uuid - read_state: failed to get > generator's state > [03/Apr/2008:15:46:26 -0400] uuid - uuid_init: failed to get generator's > state > [03/Apr/2008:15:46:26 -0400] uniqueid generator - uniqueIDGenInit: > generator ini > tialization failed > > Do you have any idea? > Yes. Unfortunately, that attribute contains raw binary data that may not be 64-bit clean. If you shutdown the server, delete that attribute, and start the server, does it work? > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Thursday, April 03, 2008 1:30 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Is it possible to migrateBerkeley > 4.2(32bit) based directory to 4.2 (64bit) > > Reinhard Nappert wrote: > >> Thanks Rick, >> >> You are saying, I have to export it at first. >> >> Initially, I just built 1.1 in 32bit mode (with the identical db >> library). With that, I even was just using the same directory and it >> worked fine. So, I guess I have to go the export/import way. >> >> > I'm just really not sure. I don't think we write any longs or other > 64-bit values to the database with 1.1. So it may just work and be > fine. > >> Cheers, >> -Reinhard >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich >> Megginson >> Sent: Thursday, April 03, 2008 12:12 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] Is it possible to migrate >> Berkeley >> 4.2(32bit) based directory to 4.2 (64bit) >> >> Reinhard Nappert wrote: >> >> >>> Hi, >>> >>> Does anyone know, if that works? >>> >>> >>> >> Are you talking about the migration script migrate-ds-admin.pl? If >> so, then yes. You will first have to export your databases to ldif >> e.g. for a Fedora DS 1.0.4 installation: >> cd /opt/fedora-ds/slapd-instance/db >> ../db2ldif -n userRoot -a `pwd`/userRoot.ldif ../db2ldif -n >> NetscapeRoot -a `pwd`/NetscapeRoot.ldif ... repeat for each database >> instance >> >> The migration script will look for a file called >> /opt/fedora-ds/slapd-instance/db/.ldif and use that >> rather than the binary files. >> >> You should also run the migration script with the -x option to force >> it to use cross platform mode. >> >> >>> Thanks, >>> -Reinhard >>> >>> --------------------------------------------------------------------- >>> - >>> -- >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Apr 4 14:34:51 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 04 Apr 2008 08:34:51 -0600 Subject: [Fedora-directory-users] Broken MMR - DB_BUFFER_SMALL: User memory too small for return value In-Reply-To: References: Message-ID: <47F63C8B.6060006@redhat.com> Richard Hesse wrote: > Scenario: two FDS 1.1 servers in a multi-master setup. Working fine for > months without a hiccup (except to upgrade from 1.04) then replication > suddenly stops working. Checking the logs, I see this: > > [03/Apr/2008:23:44:00 +0000] NSMMReplicationPlugin - changelog program - > agmt="cn=MM aa0-006-8.u.powerset.com" (aa0-006-8:636): Failed to retrieve > change with CSN 47f5710d000000010000; db error - -30999 DB_BUFFER_SMALL: > User memory too small for return value > > How should I go about troubleshooting this? Searching for replication > conflicts didn't yield anything useful. It looks as though it's attempting to read something from the changelog database, but it got the size wrong: Errors The DBcursor->get method may fail and return one of the following non-zero errors: DB_BUFFER_SMALL The requested item could not be returned due to undersized buffer. What version of db do you have on your system? i.e. rpm -qi db4 32-bit or 64-bit? I'm not sure, but it looks as though the code is perhaps expecting bdb to return ENOMEM in this case, and perhaps the bdb api has changed to return DB_BUFFER_SMALL instead for this case? > I tried running template-cl-dump.pl > like the documentation suggested, Which documentation? That needs to be updated. > but I couldn't find it anywhere in > /usr/share/dirsrv/script-templates (FC6 system). > /usr/bin/cl-dump > Thanks. > > -richard > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rnappert at juniper.net Fri Apr 4 15:30:44 2008 From: rnappert at juniper.net (Reinhard Nappert) Date: Fri, 4 Apr 2008 11:30:44 -0400 Subject: [Fedora-directory-users] Is it possibleto migrateBerkeley 4.2(32bit) based directory to 4.2 (64bit) In-Reply-To: <47F638E9.90609@redhat.com> References: <3525C9833C09ED418C6FD6CD9514668C039377BB@emailwf1.jnpr.net> <47F501DF.1040502@redhat.com><3525C9833C09ED418C6FD6CD9514668C03937820@emailwf1.jnpr.net> <47F5140F.3070800@redhat.com><3525C9833C09ED418C6FD6CD9514668C03937A22@emailwf1.jnpr.net> <47F638E9.90609@redhat.com> Message-ID: <3525C9833C09ED418C6FD6CD9514668C03937AED@emailwf1.jnpr.net> No, it does not. It looks like you need a value. So, I installed a 64 bit version from scratch, took that generated value in the migrated dse.ldif and started the server. This works, however it is kind of ugly. Now, this brings up another question: If I do something like that (with perl?), do I screw up my replication agreements? -Reinhard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Friday, April 04, 2008 10:19 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Is it possibleto migrateBerkeley 4.2(32bit) based directory to 4.2 (64bit) Reinhard Nappert wrote: > Rick, > > It looks like it is ok just using the same old data and point to the > db directory. However, I experienced one hick-up. During the migration > of the config data (dse.ldif) within migrate-ds.pl, the migration of > the nsstate attribute for the uniqueid generator fails. When starting > the directory, I get: > [03/Apr/2008:15:46:26 -0400] uuid - read_state: failed to get > generator's state > [03/Apr/2008:15:46:26 -0400] uuid - uuid_init: failed to get > generator's state > [03/Apr/2008:15:46:26 -0400] uniqueid generator - uniqueIDGenInit: > generator ini > tialization failed > > Do you have any idea? > Yes. Unfortunately, that attribute contains raw binary data that may not be 64-bit clean. If you shutdown the server, delete that attribute, and start the server, does it work? > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Thursday, April 03, 2008 1:30 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Is it possible to migrateBerkeley > 4.2(32bit) based directory to 4.2 (64bit) > > Reinhard Nappert wrote: > >> Thanks Rick, >> >> You are saying, I have to export it at first. >> >> Initially, I just built 1.1 in 32bit mode (with the identical db >> library). With that, I even was just using the same directory and it >> worked fine. So, I guess I have to go the export/import way. >> >> > I'm just really not sure. I don't think we write any longs or other > 64-bit values to the database with 1.1. So it may just work and be > fine. > >> Cheers, >> -Reinhard >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich >> Megginson >> Sent: Thursday, April 03, 2008 12:12 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] Is it possible to migrate >> Berkeley >> 4.2(32bit) based directory to 4.2 (64bit) >> >> Reinhard Nappert wrote: >> >> >>> Hi, >>> >>> Does anyone know, if that works? >>> >>> >>> >> Are you talking about the migration script migrate-ds-admin.pl? If >> so, then yes. You will first have to export your databases to ldif >> e.g. for a Fedora DS 1.0.4 installation: >> cd /opt/fedora-ds/slapd-instance/db >> ../db2ldif -n userRoot -a `pwd`/userRoot.ldif ../db2ldif -n >> NetscapeRoot -a `pwd`/NetscapeRoot.ldif ... repeat for each database >> instance >> >> The migration script will look for a file called >> /opt/fedora-ds/slapd-instance/db/.ldif and use that >> rather than the binary files. >> >> You should also run the migration script with the -x option to force >> it to use cross platform mode. >> >> >>> Thanks, >>> -Reinhard >>> >>> --------------------------------------------------------------------- >>> - >>> -- >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Fri Apr 4 16:08:40 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 04 Apr 2008 10:08:40 -0600 Subject: [Fedora-directory-users] Is it possibleto migrateBerkeley 4.2(32bit) based directory to 4.2 (64bit) In-Reply-To: <3525C9833C09ED418C6FD6CD9514668C03937AED@emailwf1.jnpr.net> References: <3525C9833C09ED418C6FD6CD9514668C039377BB@emailwf1.jnpr.net> <47F501DF.1040502@redhat.com><3525C9833C09ED418C6FD6CD9514668C03937820@emailwf1.jnpr.net> <47F5140F.3070800@redhat.com><3525C9833C09ED418C6FD6CD9514668C03937A22@emailwf1.jnpr.net> <47F638E9.90609@redhat.com> <3525C9833C09ED418C6FD6CD9514668C03937AED@emailwf1.jnpr.net> Message-ID: <47F65288.30605@redhat.com> Reinhard Nappert wrote: > No, it does not. It looks like you need a value. > What if you shutdown, delete that entry completely from dse.ldif, then restart? > So, I installed a 64 bit version from scratch, took that generated value > in the migrated dse.ldif and started the server. This works, however it > is kind of ugly. Now, this brings up another question: If I do something > like that (with perl?), do I screw up my replication agreements? > > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Friday, April 04, 2008 10:19 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Is it possibleto migrateBerkeley > 4.2(32bit) based directory to 4.2 (64bit) > > Reinhard Nappert wrote: > >> Rick, >> >> It looks like it is ok just using the same old data and point to the >> db directory. However, I experienced one hick-up. During the migration >> > > >> of the config data (dse.ldif) within migrate-ds.pl, the migration of >> the nsstate attribute for the uniqueid generator fails. When starting >> the directory, I get: >> [03/Apr/2008:15:46:26 -0400] uuid - read_state: failed to get >> generator's state >> [03/Apr/2008:15:46:26 -0400] uuid - uuid_init: failed to get >> generator's state >> [03/Apr/2008:15:46:26 -0400] uniqueid generator - uniqueIDGenInit: >> generator ini >> tialization failed >> >> Do you have any idea? >> >> > Yes. Unfortunately, that attribute contains raw binary data that may > not be 64-bit clean. If you shutdown the server, delete that attribute, > and start the server, does it work? > >> -Reinhard >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich >> Megginson >> Sent: Thursday, April 03, 2008 1:30 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] Is it possible to >> > migrateBerkeley > >> 4.2(32bit) based directory to 4.2 (64bit) >> >> Reinhard Nappert wrote: >> >> >>> Thanks Rick, >>> >>> You are saying, I have to export it at first. >>> >>> Initially, I just built 1.1 in 32bit mode (with the identical db >>> library). With that, I even was just using the same directory and it >>> worked fine. So, I guess I have to go the export/import way. >>> >>> >>> >> I'm just really not sure. I don't think we write any longs or other >> 64-bit values to the database with 1.1. So it may just work and be >> fine. >> >> >>> Cheers, >>> -Reinhard >>> >>> -----Original Message----- >>> From: fedora-directory-users-bounces at redhat.com >>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich >>> Megginson >>> Sent: Thursday, April 03, 2008 12:12 PM >>> To: General discussion list for the Fedora Directory server project. >>> Subject: Re: [Fedora-directory-users] Is it possible to migrate >>> Berkeley >>> 4.2(32bit) based directory to 4.2 (64bit) >>> >>> Reinhard Nappert wrote: >>> >>> >>> >>>> Hi, >>>> >>>> Does anyone know, if that works? >>>> >>>> >>>> >>>> >>> Are you talking about the migration script migrate-ds-admin.pl? If >>> so, then yes. You will first have to export your databases to ldif >>> e.g. for a Fedora DS 1.0.4 installation: >>> cd /opt/fedora-ds/slapd-instance/db >>> ../db2ldif -n userRoot -a `pwd`/userRoot.ldif ../db2ldif -n >>> NetscapeRoot -a `pwd`/NetscapeRoot.ldif ... repeat for each database >>> instance >>> >>> The migration script will look for a file called >>> /opt/fedora-ds/slapd-instance/db/.ldif and use that >>> > > >>> rather than the binary files. >>> >>> You should also run the migration script with the -x option to force >>> it to use cross platform mode. >>> >>> >>> >>>> Thanks, >>>> -Reinhard >>>> >>>> >>>> > --------------------------------------------------------------------- > >>>> - >>>> -- >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rnappert at juniper.net Fri Apr 4 16:35:36 2008 From: rnappert at juniper.net (Reinhard Nappert) Date: Fri, 4 Apr 2008 12:35:36 -0400 Subject: [Fedora-directory-users] Isit possibleto migrateBerkeley 4.2(32bit)based directory to 4.2 (64bit) In-Reply-To: <47F65288.30605@redhat.com> References: <3525C9833C09ED418C6FD6CD9514668C039377BB@emailwf1.jnpr.net> <47F501DF.1040502@redhat.com><3525C9833C09ED418C6FD6CD9514668C03937820@emailwf1.jnpr.net> <47F5140F.3070800@redhat.com><3525C9833C09ED418C6FD6CD9514668C03937A22@emailwf1.jnpr.net> <47F638E9.90609@redhat.com><3525C9833C09ED418C6FD6CD9514668C03937AED@emailwf1.jnpr.net> <47F65288.30605@redhat.com> Message-ID: <3525C9833C09ED418C6FD6CD9514668C03937B2B@emailwf1.jnpr.net> Yes, this works! How about existing replication agreements? -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Friday, April 04, 2008 12:09 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Isit possibleto migrateBerkeley 4.2(32bit)based directory to 4.2 (64bit) Reinhard Nappert wrote: > No, it does not. It looks like you need a value. > What if you shutdown, delete that entry completely from dse.ldif, then restart? > So, I installed a 64 bit version from scratch, took that generated > value in the migrated dse.ldif and started the server. This works, > however it is kind of ugly. Now, this brings up another question: If I > do something like that (with perl?), do I screw up my replication agreements? > > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Friday, April 04, 2008 10:19 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Is it possibleto migrateBerkeley > 4.2(32bit) based directory to 4.2 (64bit) > > Reinhard Nappert wrote: > >> Rick, >> >> It looks like it is ok just using the same old data and point to the >> db directory. However, I experienced one hick-up. During the >> migration >> > > >> of the config data (dse.ldif) within migrate-ds.pl, the migration of >> the nsstate attribute for the uniqueid generator fails. When starting >> the directory, I get: >> [03/Apr/2008:15:46:26 -0400] uuid - read_state: failed to get >> generator's state >> [03/Apr/2008:15:46:26 -0400] uuid - uuid_init: failed to get >> generator's state >> [03/Apr/2008:15:46:26 -0400] uniqueid generator - uniqueIDGenInit: >> generator ini >> tialization failed >> >> Do you have any idea? >> >> > Yes. Unfortunately, that attribute contains raw binary data that may > not be 64-bit clean. If you shutdown the server, delete that > attribute, and start the server, does it work? > >> -Reinhard >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich >> Megginson >> Sent: Thursday, April 03, 2008 1:30 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] Is it possible to >> > migrateBerkeley > >> 4.2(32bit) based directory to 4.2 (64bit) >> >> Reinhard Nappert wrote: >> >> >>> Thanks Rick, >>> >>> You are saying, I have to export it at first. >>> >>> Initially, I just built 1.1 in 32bit mode (with the identical db >>> library). With that, I even was just using the same directory and it >>> worked fine. So, I guess I have to go the export/import way. >>> >>> >>> >> I'm just really not sure. I don't think we write any longs or other >> 64-bit values to the database with 1.1. So it may just work and be >> fine. >> >> >>> Cheers, >>> -Reinhard >>> >>> -----Original Message----- >>> From: fedora-directory-users-bounces at redhat.com >>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich >>> Megginson >>> Sent: Thursday, April 03, 2008 12:12 PM >>> To: General discussion list for the Fedora Directory server project. >>> Subject: Re: [Fedora-directory-users] Is it possible to migrate >>> Berkeley >>> 4.2(32bit) based directory to 4.2 (64bit) >>> >>> Reinhard Nappert wrote: >>> >>> >>> >>>> Hi, >>>> >>>> Does anyone know, if that works? >>>> >>>> >>>> >>>> >>> Are you talking about the migration script migrate-ds-admin.pl? If >>> so, then yes. You will first have to export your databases to ldif >>> e.g. for a Fedora DS 1.0.4 installation: >>> cd /opt/fedora-ds/slapd-instance/db >>> ../db2ldif -n userRoot -a `pwd`/userRoot.ldif ../db2ldif -n >>> NetscapeRoot -a `pwd`/NetscapeRoot.ldif ... repeat for each database >>> instance >>> >>> The migration script will look for a file called >>> /opt/fedora-ds/slapd-instance/db/.ldif and use >>> that >>> > > >>> rather than the binary files. >>> >>> You should also run the migration script with the -x option to force >>> it to use cross platform mode. >>> >>> >>> >>>> Thanks, >>>> -Reinhard >>>> >>>> >>>> > --------------------------------------------------------------------- > >>>> - >>>> -- >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Fri Apr 4 17:14:12 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 04 Apr 2008 11:14:12 -0600 Subject: [Fedora-directory-users] Isit possibleto migrateBerkeley 4.2(32bit)based directory to 4.2 (64bit) In-Reply-To: <3525C9833C09ED418C6FD6CD9514668C03937B2B@emailwf1.jnpr.net> References: <3525C9833C09ED418C6FD6CD9514668C039377BB@emailwf1.jnpr.net> <47F501DF.1040502@redhat.com><3525C9833C09ED418C6FD6CD9514668C03937820@emailwf1.jnpr.net> <47F5140F.3070800@redhat.com><3525C9833C09ED418C6FD6CD9514668C03937A22@emailwf1.jnpr.net> <47F638E9.90609@redhat.com><3525C9833C09ED418C6FD6CD9514668C03937AED@emailwf1.jnpr.net> <47F65288.30605@redhat.com> <3525C9833C09ED418C6FD6CD9514668C03937B2B@emailwf1.jnpr.net> Message-ID: <47F661E4.8090502@redhat.com> Reinhard Nappert wrote: > Yes, this works! How about existing replication agreements? > I'm not sure. They may "just work" too. > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Friday, April 04, 2008 12:09 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Isit possibleto migrateBerkeley > 4.2(32bit)based directory to 4.2 (64bit) > > Reinhard Nappert wrote: > >> No, it does not. It looks like you need a value. >> >> > What if you shutdown, delete that entry completely from dse.ldif, then > restart? > >> So, I installed a 64 bit version from scratch, took that generated >> value in the migrated dse.ldif and started the server. This works, >> however it is kind of ugly. Now, this brings up another question: If I >> > > >> do something like that (with perl?), do I screw up my replication >> > agreements? > >> -Reinhard >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich >> Megginson >> Sent: Friday, April 04, 2008 10:19 AM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] Is it possibleto migrateBerkeley >> 4.2(32bit) based directory to 4.2 (64bit) >> >> Reinhard Nappert wrote: >> >> >>> Rick, >>> >>> It looks like it is ok just using the same old data and point to the >>> db directory. However, I experienced one hick-up. During the >>> migration >>> >>> >> >> >>> of the config data (dse.ldif) within migrate-ds.pl, the migration of >>> the nsstate attribute for the uniqueid generator fails. When starting >>> > > >>> the directory, I get: >>> [03/Apr/2008:15:46:26 -0400] uuid - read_state: failed to get >>> generator's state >>> [03/Apr/2008:15:46:26 -0400] uuid - uuid_init: failed to get >>> generator's state >>> [03/Apr/2008:15:46:26 -0400] uniqueid generator - uniqueIDGenInit: >>> generator ini >>> tialization failed >>> >>> Do you have any idea? >>> >>> >>> >> Yes. Unfortunately, that attribute contains raw binary data that may >> not be 64-bit clean. If you shutdown the server, delete that >> attribute, and start the server, does it work? >> >> >>> -Reinhard >>> >>> -----Original Message----- >>> From: fedora-directory-users-bounces at redhat.com >>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich >>> Megginson >>> Sent: Thursday, April 03, 2008 1:30 PM >>> To: General discussion list for the Fedora Directory server project. >>> Subject: Re: [Fedora-directory-users] Is it possible to >>> >>> >> migrateBerkeley >> >> >>> 4.2(32bit) based directory to 4.2 (64bit) >>> >>> Reinhard Nappert wrote: >>> >>> >>> >>>> Thanks Rick, >>>> >>>> You are saying, I have to export it at first. >>>> >>>> Initially, I just built 1.1 in 32bit mode (with the identical db >>>> library). With that, I even was just using the same directory and it >>>> > > >>>> worked fine. So, I guess I have to go the export/import way. >>>> >>>> >>>> >>>> >>> I'm just really not sure. I don't think we write any longs or other >>> 64-bit values to the database with 1.1. So it may just work and be >>> fine. >>> >>> >>> >>>> Cheers, >>>> -Reinhard >>>> >>>> -----Original Message----- >>>> From: fedora-directory-users-bounces at redhat.com >>>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich >>>> > > >>>> Megginson >>>> Sent: Thursday, April 03, 2008 12:12 PM >>>> To: General discussion list for the Fedora Directory server project. >>>> Subject: Re: [Fedora-directory-users] Is it possible to migrate >>>> Berkeley >>>> 4.2(32bit) based directory to 4.2 (64bit) >>>> >>>> Reinhard Nappert wrote: >>>> >>>> >>>> >>>> >>>>> Hi, >>>>> >>>>> Does anyone know, if that works? >>>>> >>>>> >>>>> >>>>> >>>>> >>>> Are you talking about the migration script migrate-ds-admin.pl? If >>>> so, then yes. You will first have to export your databases to ldif >>>> e.g. for a Fedora DS 1.0.4 installation: >>>> cd /opt/fedora-ds/slapd-instance/db >>>> ../db2ldif -n userRoot -a `pwd`/userRoot.ldif ../db2ldif -n >>>> NetscapeRoot -a `pwd`/NetscapeRoot.ldif ... repeat for each database >>>> > > >>>> instance >>>> >>>> The migration script will look for a file called >>>> /opt/fedora-ds/slapd-instance/db/.ldif and use >>>> that >>>> >>>> >> >> >>>> rather than the binary files. >>>> >>>> You should also run the migration script with the -x option to force >>>> > > >>>> it to use cross platform mode. >>>> >>>> >>>> >>>> >>>>> Thanks, >>>>> -Reinhard >>>>> >>>>> >>>>> >>>>> >> --------------------------------------------------------------------- >> >> >>>>> - >>>>> -- >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>>>> >>>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ggistra at aol.com Fri Apr 4 20:14:16 2008 From: ggistra at aol.com (ggistra at aol.com) Date: Fri, 04 Apr 2008 16:14:16 -0400 Subject: [Fedora-directory-users] Installing Server Certificates Using certutil Message-ID: <8CA64A79769E4C8-520-15C9@webmail-db17.sysops.aol.com> Regarding "Using certutil" section in? the "Managing SSL and SASL" chapter of the Administrator's Guide 7.1: The instructions seem to indicate that one should use the same password to protect ?*? the key and certificate databases ?*? the encryption key ?*? the certificates Is this correct? Is the pwdfile.txt still needed after the certificates are generated? The "Enabling SSL ..." section of the same chapter talks about?creating the password file needed to restart the server automatically. This is presumably the same password used to generate certificates (or is it not?). Is there?a way to?achieve the unattended restart while avoiding placing the password in?a?cleartext file? Thanks, Gabi? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Apr 4 21:26:36 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 04 Apr 2008 15:26:36 -0600 Subject: [Fedora-directory-users] Installing Server Certificates Using certutil In-Reply-To: <8CA64A79769E4C8-520-15C9@webmail-db17.sysops.aol.com> References: <8CA64A79769E4C8-520-15C9@webmail-db17.sysops.aol.com> Message-ID: <47F69D0C.9060300@redhat.com> ggistra at aol.com wrote: > > Regarding "Using certutil" section in the "Managing SSL and SASL" > chapter of the Administrator's Guide 7.1: > > The instructions seem to indicate that one should use the same > password to protect > * the key and certificate databases > * the encryption key > * the certificates > > Is this correct? Is the pwdfile.txt still needed after the > certificates are generated? Not technically, but it's a good idea to keep it around in case you want to issue additional certs. You can always create it from the contents of the pin.txt file (assuming you have the same password). > > The "Enabling SSL ..." section of the same chapter talks > about creating the password file needed to restart the server > automatically. This is presumably the same password used to generate > certificates (or is it not?). It usually is the same, but it doesn't have to be. > Is there a way to achieve the unattended restart while avoiding > placing the password in a cleartext file? You can also use the modutil -changepw command to change the password to a blank password (i.e. just hit Enter). But then your private key will be unprotected. It's essentially the same protection as the cleartext password file, but a little easier to manage. > > Thanks, > Gabi > ------------------------------------------------------------------------ > Get the MapQuest Toolbar > , Maps, > Traffic, Directions & More! > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From paulo.estrela at unifacs.br Mon Apr 7 13:00:08 2008 From: paulo.estrela at unifacs.br (Paulo Estrela) Date: Mon, 07 Apr 2008 10:00:08 -0300 Subject: [Fedora-directory-users] Directory merge Message-ID: <47FA1AD8.5070708@unifacs.br> Hi, I work for an university in Brazil and a few months ago, we migrated the passwd files of student's email server to FDS. Until now we had a system that was used to synchronize these two databases (AD and passwd files). Now, I want to sync FDS and AD but the accounts exists in both systems. What will happen if I set up synchronization with these accounts in both systems? I want to preserve FDS information, possibly overwriting AD information. I thought create a new AD domain, but we have some login scripts and GPOs that we must preserve. Did anybody here do this? Thanks everyone, -- Paulo Estrela Administrador de Sistemas Coord. Laborat?rios de Inform?tica Universidade Salvador - UNIFACS / www.unifacs.br From andrey.ivanov at polytechnique.fr Mon Apr 7 14:29:09 2008 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Mon, 7 Apr 2008 16:29:09 +0200 Subject: [Fedora-directory-users] Search filters with 'tab' (\09) Message-ID: <1601b8650804070729u60c001aem9a98b47822b61c34@mail.gmail.com> Hi, I don't know whether it is a bug or a feature. If i make an ldapsearch (or a search by perl LDAP) the ESCAPED tab is not taken into account : the search ldapsearch -x -D... -h -b "" "(uid=\09user1\09)" gives the same result (the entry corresponding to user1) as ldapsearch -x -D... -h -b "" "(uid=user1)" The logs show that the filter makes successfully its way to the ldap core: 07/Apr/2008:16:03:30 +0200] conn=85418 op=3 SRCH base="..." scope=2 filter="(uid=\09user1\09)" attrs=ALL 07/Apr/2008:16:03:45 +0200] conn=85418 op=3 SRCH base="..." scope=2 filter="(uid=user1)" attrs=ALL How do i search then the attribute that starts with the tab symbol (\09)? Thank you! From rmeggins at redhat.com Mon Apr 7 14:38:36 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 07 Apr 2008 08:38:36 -0600 Subject: [Fedora-directory-users] Search filters with 'tab' (\09) In-Reply-To: <1601b8650804070729u60c001aem9a98b47822b61c34@mail.gmail.com> References: <1601b8650804070729u60c001aem9a98b47822b61c34@mail.gmail.com> Message-ID: <47FA31EC.7020107@redhat.com> Andrey Ivanov wrote: > Hi, > > I don't know whether it is a bug or a feature. If i make an ldapsearch > (or a search by perl LDAP) the ESCAPED tab is not taken into account : > the search > ldapsearch -x -D... -h -b "" "(uid=\09user1\09)" > > gives the same result (the entry corresponding to user1) as > ldapsearch -x -D... -h -b "" "(uid=user1)" > > The logs show that the filter makes successfully its way to the ldap core: > 07/Apr/2008:16:03:30 +0200] conn=85418 op=3 SRCH base="..." scope=2 > filter="(uid=\09user1\09)" attrs=ALL > > 07/Apr/2008:16:03:45 +0200] conn=85418 op=3 SRCH base="..." scope=2 > filter="(uid=user1)" attrs=ALL > > How do i search then the attribute that starts with the tab symbol (\09)? > If you do a "strings /var/lib/dirsrv/slapd-instance/db/userRoot/uid.db4" do you see the value with the leading tab character? > > Thank you! > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From andrey.ivanov at polytechnique.fr Mon Apr 7 15:25:54 2008 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Mon, 7 Apr 2008 17:25:54 +0200 Subject: [Fedora-directory-users] Search filters with 'tab' (\09) In-Reply-To: <47FA31EC.7020107@redhat.com> References: <1601b8650804070729u60c001aem9a98b47822b61c34@mail.gmail.com> <47FA31EC.7020107@redhat.com> Message-ID: <1601b8650804070825m17429cd8p908db264ffc7f0b5@mail.gmail.com> Thanks for a rapid reply. No, no leading tab. The value in the database is and was always ok and without 'tab'. (your strings command gives me '=user1'). I was simply creating a perl script and saw that if i enter the uid with or without tab the ldap server returns the entry anyway which i found to be strange because i escape the values in the filter... You can add '\09' in the beginning and/or at the end of any ldap filter and it continues to work with FDS (you can try on your own server smth like "(uid=\09rmeggins\09\09)"... Don't know whether it is normal :) 2008/4/7, Rich Megginson : > Andrey Ivanov wrote: > > > Hi, > > > > I don't know whether it is a bug or a feature. If i make an ldapsearch > > (or a search by perl LDAP) the ESCAPED tab is not taken into account : > > the search > > ldapsearch -x -D... -h -b "" "(uid=\09user1\09)" > > > > gives the same result (the entry corresponding to user1) as > > ldapsearch -x -D... -h -b "" "(uid=user1)" > > > > The logs show that the filter makes successfully its way to the ldap core: > > 07/Apr/2008:16:03:30 +0200] conn=85418 op=3 SRCH base="..." scope=2 > > filter="(uid=\09user1\09)" attrs=ALL > > > > 07/Apr/2008:16:03:45 +0200] conn=85418 op=3 SRCH base="..." scope=2 > > filter="(uid=user1)" attrs=ALL > > > > How do i search then the attribute that starts with the tab symbol (\09)? > > > > > If you do a "strings > /var/lib/dirsrv/slapd-instance/db/userRoot/uid.db4" do you > see the value with the leading tab character? > > > > > Thank you! > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > From richard at powerset.com Mon Apr 7 20:12:44 2008 From: richard at powerset.com (Richard Hesse) Date: Mon, 7 Apr 2008 13:12:44 -0700 Subject: [Fedora-directory-users] Broken MMR - DB_BUFFER_SMALL: User memory too small for return value In-Reply-To: <47F63C8B.6060006@redhat.com> Message-ID: Thanks for the reply Rich. It actually looks like we've got x86 and x64 builds of db4 on that server. I share this server with another team so I'll ask around who installed what. I think the actual problem ended up being on-disk data corruption. There were a few other signs of the disk heading south and things have cleared up since resolving them. As for the documentation URL that references that script: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Troubleshooting_Replication_Related_Problems.html -richard On 4/4/08 7:34 AM, "Rich Megginson" wrote: Richard Hesse wrote: > Scenario: two FDS 1.1 servers in a multi-master setup. Working fine for > months without a hiccup (except to upgrade from 1.04) then replication > suddenly stops working. Checking the logs, I see this: > > [03/Apr/2008:23:44:00 +0000] NSMMReplicationPlugin - changelog program - > agmt="cn=MM aa0-006-8.u.powerset.com" (aa0-006-8:636): Failed to retrieve > change with CSN 47f5710d000000010000; db error - -30999 DB_BUFFER_SMALL: > User memory too small for return value > > How should I go about troubleshooting this? Searching for replication > conflicts didn't yield anything useful. It looks as though it's attempting to read something from the changelog database, but it got the size wrong: Errors The DBcursor->get method may fail and return one of the following non-zero errors: DB_BUFFER_SMALL The requested item could not be returned due to undersized buffer. What version of db do you have on your system? i.e. rpm -qi db4 32-bit or 64-bit? I'm not sure, but it looks as though the code is perhaps expecting bdb to return ENOMEM in this case, and perhaps the bdb api has changed to return DB_BUFFER_SMALL instead for this case? > I tried running template-cl-dump.pl > like the documentation suggested, Which documentation? That needs to be updated. > but I couldn't find it anywhere in > /usr/share/dirsrv/script-templates (FC6 system). > /usr/bin/cl-dump > Thanks. > > -richard > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From playactor at gmail.com Mon Apr 7 21:14:16 2008 From: playactor at gmail.com (Eric Brown) Date: Mon, 7 Apr 2008 16:14:16 -0500 Subject: [Fedora-directory-users] Having problems with the Admin Console Message-ID: I am using FDS 1.0.4, installing from the RPM downloaded from the FDS website for RHEL4 I used the silent install to setup the directory with the following information: [General] FullMachineName= blue.ds.server.com ConfigDirectoryLdapURL= ldap://blue.ds.server.com:389/ SuiteSpotUserID= ldap SuitespotGroup= ldap ConfigDirectoryAdminID= admin ConfigDirectoryAdminPwd= secret1234 ServerRoot= /opt/fedora-ds Components= svrcore,base,slapd,admin,nsperl,perldap AdminDomain= ds.server.com [slapd] Components= slapd,slapd-client ServerPort= 389 ServerIdentifier= grid-identity Suffix= dc=blue,dc=com RootDN= cn=Directory Manager RootDNPwd= 1apple [admin] SysUser= ldap Port= 23611 ServerIpAddress= 10.105.1.188 ServerAdminID= admin ServerAdminPwd= secret1234 Components= admin,admin-client [base] Components= base,base-client,base-jre [nsperl] Components= nsperl [perlldap] Components= perlldap14 The silent installation completed, and I can start the slapd server, but all of the files I have seen referenced to starting the admin server are not in my installation. From solarflow99 at gmail.com Mon Apr 7 23:18:55 2008 From: solarflow99 at gmail.com (solarflow99) Date: Tue, 8 Apr 2008 00:18:55 +0100 Subject: [Fedora-directory-users] Having problems with the Admin Console In-Reply-To: References: Message-ID: <7020fd000804071618h4fc2d99eh227008d3e15fb90c@mail.gmail.com> did you run the setup-ds.pl script or the setup-ds-admin.pl ? On Mon, Apr 7, 2008 at 10:14 PM, Eric Brown wrote: > I am using FDS 1.0.4, installing from the RPM downloaded from the FDS > website for RHEL4 > > I used the silent install to setup the directory with the following > information: > > [General] > FullMachineName= blue.ds.server.com > ConfigDirectoryLdapURL= ldap://blue.ds.server.com:389/ > SuiteSpotUserID= ldap > SuitespotGroup= ldap > ConfigDirectoryAdminID= admin > ConfigDirectoryAdminPwd= secret1234 > ServerRoot= /opt/fedora-ds > Components= svrcore,base,slapd,admin,nsperl,perldap > AdminDomain= ds.server.com > > [slapd] > Components= slapd,slapd-client > ServerPort= 389 > ServerIdentifier= grid-identity > Suffix= dc=blue,dc=com > RootDN= cn=Directory Manager > RootDNPwd= 1apple > > [admin] > SysUser= ldap > Port= 23611 > ServerIpAddress= 10.105.1.188 > ServerAdminID= admin > ServerAdminPwd= secret1234 > Components= admin,admin-client > > [base] > Components= base,base-client,base-jre > > [nsperl] > Components= nsperl > > [perlldap] > Components= perlldap14 > > The silent installation completed, and I can start the slapd server, > but all of the files I have seen referenced to starting the admin > server are not in my installation. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Apr 8 01:13:32 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 07 Apr 2008 19:13:32 -0600 Subject: [Fedora-directory-users] Having problems with the Admin Console In-Reply-To: References: Message-ID: <47FAC6BC.7020804@redhat.com> Eric Brown wrote: > I am using FDS 1.0.4, installing from the RPM downloaded from the FDS > website for RHEL4 > > I used the silent install to setup the directory with the following information: > > [General] > FullMachineName= blue.ds.server.com > ConfigDirectoryLdapURL= ldap://blue.ds.server.com:389/ > SuiteSpotUserID= ldap > SuitespotGroup= ldap > ConfigDirectoryAdminID= admin > ConfigDirectoryAdminPwd= secret1234 > ServerRoot= /opt/fedora-ds > Components= svrcore,base,slapd,admin,nsperl,perldap > AdminDomain= ds.server.com > > [slapd] > Components= slapd,slapd-client > ServerPort= 389 > ServerIdentifier= grid-identity > Suffix= dc=blue,dc=com > RootDN= cn=Directory Manager > RootDNPwd= 1apple > > [admin] > SysUser= ldap > Port= 23611 > ServerIpAddress= 10.105.1.188 > ServerAdminID= admin > ServerAdminPwd= secret1234 > Components= admin,admin-client > > [base] > Components= base,base-client,base-jre > > [nsperl] > Components= nsperl > > [perlldap] > Components= perlldap14 > > The silent installation completed, and I can start the slapd server, > but all of the files I have seen referenced to starting the admin > server are not in my installation. > I'm not sure what you mean. Can you provide more information about "all of the files I have seen referenced to starting the admin server"? > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From valery.fauconnier at atosorigin.com Tue Apr 8 08:45:42 2008 From: valery.fauconnier at atosorigin.com (FAUCONNIER Valery AWL-IT) Date: Tue, 8 Apr 2008 10:45:42 +0200 Subject: [Fedora-directory-users] Having problems with the Admin Console In-Reply-To: Message-ID: <8B50AA62C37CB448A36B5076F9AB0E380122F2A4@eri.winad.be> try this : run command as root 1) make sure that PATH to java is known 2) cd /opt/fedora-ds 3) ./start-admin (if you have warning when starting, there are configuration files httpd server located in /opt/fedora-ds/console.conf ) 4) ./startconsole -u admin -a http://blue.ds.server.com:23611/ or ./startconsole -u admin -a http://10.105.1.188:23611/ -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Eric Brown Sent: Monday 7 April 2008 23:14 To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] Having problems with the Admin Console I am using FDS 1.0.4, installing from the RPM downloaded from the FDS website for RHEL4 I used the silent install to setup the directory with the following information: [General] FullMachineName= blue.ds.server.com ConfigDirectoryLdapURL= ldap://blue.ds.server.com:389/ SuiteSpotUserID= ldap SuitespotGroup= ldap ConfigDirectoryAdminID= admin ConfigDirectoryAdminPwd= secret1234 ServerRoot= /opt/fedora-ds Components= svrcore,base,slapd,admin,nsperl,perldap AdminDomain= ds.server.com [slapd] Components= slapd,slapd-client ServerPort= 389 ServerIdentifier= grid-identity Suffix= dc=blue,dc=com RootDN= cn=Directory Manager RootDNPwd= 1apple [admin] SysUser= ldap Port= 23611 ServerIpAddress= 10.105.1.188 ServerAdminID= admin ServerAdminPwd= secret1234 Components= admin,admin-client [base] Components= base,base-client,base-jre [nsperl] Components= nsperl [perlldap] Components= perlldap14 The silent installation completed, and I can start the slapd server, but all of the files I have seen referenced to starting the admin server are not in my installation. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users Atos Worldline SA/NV - Chaussee de Haecht 1442 Haachtsesteenweg - 1130 Brussels - Belgium RPM-RPR Bruxelles-Brussel - TVA-BTW BE 0418.547.872 Bankrekening-Compte Bancaire-Bank Account 310-0269424-44 BIC BBRUBEBB - IBAN BE55 3100 2694 2444 "The information contained in this e-mail and any attachment thereto is confidential and may contain information which is protected by intellectual property rights. This information is intended for the exclusive use of the recipient(s) named above. This e-mail does not constitute any binding relationship or offer toward any of the addressees. If you are not one of the addressees , one of their employees or a proxy holder entitled to hand over this message to the addressee(s), any use of the information contained herein (e.g. reproduction, divulgation, communication or distribution,...) is prohibited. If you have received this message in error, please notify the sender and destroy it immediately after. The integrity and security of this message cannot be guaranteed and it may be subject to data corruption, interception and unauthorized amendment, for which we accept no liability." From playactor at gmail.com Tue Apr 8 15:02:50 2008 From: playactor at gmail.com (Eric Brown) Date: Tue, 8 Apr 2008 10:02:50 -0500 Subject: [Fedora-directory-users] Having problems with the Admin Console In-Reply-To: <8B50AA62C37CB448A36B5076F9AB0E380122F2A4@eri.winad.be> References: <8B50AA62C37CB448A36B5076F9AB0E380122F2A4@eri.winad.be> Message-ID: I ran the following command to set up my server, where silent.inf is the file that I posted in the original email. /opt/fedora-ds/setup/setup -s -f silent.inf After running that command, I do not have a 'start-admin' to run and there are no configuration files. ---------- Forwarded message ---------- From: FAUCONNIER Valery AWL-IT Date: Tue, Apr 8, 2008 at 3:45 AM Subject: RE: [Fedora-directory-users] Having problems with the Admin Console To: "General discussion list for the Fedora Directory server project." try this : run command as root 1) make sure that PATH to java is known 2) cd /opt/fedora-ds 3) ./start-admin (if you have warning when starting, there are configuration files httpd server located in /opt/fedora-ds/console.conf ) 4) ./startconsole -u admin -a http://blue.ds.server.com:23611/ or ./startconsole -u admin -a http://10.105.1.188:23611/ -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Eric Brown Sent: Monday 7 April 2008 23:14 To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] Having problems with the Admin Console I am using FDS 1.0.4, installing from the RPM downloaded from the FDS website for RHEL4 I used the silent install to setup the directory with the following information: [General] FullMachineName= blue.ds.server.com ConfigDirectoryLdapURL= ldap://blue.ds.server.com:389/ SuiteSpotUserID= ldap SuitespotGroup= ldap ConfigDirectoryAdminID= admin ConfigDirectoryAdminPwd= secret1234 ServerRoot= /opt/fedora-ds Components= svrcore,base,slapd,admin,nsperl,perldap AdminDomain= ds.server.com [slapd] Components= slapd,slapd-client ServerPort= 389 ServerIdentifier= grid-identity Suffix= dc=blue,dc=com RootDN= cn=Directory Manager RootDNPwd= 1apple [admin] SysUser= ldap Port= 23611 ServerIpAddress= 10.105.1.188 ServerAdminID= admin ServerAdminPwd= secret1234 Components= admin,admin-client [base] Components= base,base-client,base-jre [nsperl] Components= nsperl [perlldap] Components= perlldap14 The silent installation completed, and I can start the slapd server, but all of the files I have seen referenced to starting the admin server are not in my installation. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users Atos Worldline SA/NV - Chaussee de Haecht 1442 Haachtsesteenweg - 1130 Brussels - Belgium RPM-RPR Bruxelles-Brussel - TVA-BTW BE 0418.547.872 Bankrekening-Compte Bancaire-Bank Account 310-0269424-44 BIC BBRUBEBB - IBAN BE55 3100 2694 2444 "The information contained in this e-mail and any attachment thereto is confidential and may contain information which is protected by intellectual property rights. This information is intended for the exclusive use of the recipient(s) named above. This e-mail does not constitute any binding relationship or offer toward any of the addressees. If you are not one of the addressees , one of their employees or a proxy holder entitled to hand over this message to the addressee(s), any use of the information contained herein (e.g. reproduction, divulgation, communication or distribution,...) is prohibited. If you have received this message in error, please notify the sender and destroy it immediately after. The integrity and security of this message cannot be guaranteed and it may be subject to data corruption, interception and unauthorized amendment, for which we accept no liability." -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Tue Apr 8 15:06:56 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 08 Apr 2008 09:06:56 -0600 Subject: [Fedora-directory-users] Having problems with the Admin Console In-Reply-To: References: <8B50AA62C37CB448A36B5076F9AB0E380122F2A4@eri.winad.be> Message-ID: <47FB8A10.1050201@redhat.com> Eric Brown wrote: > I ran the following command to set up my server, where silent.inf is > the file that I posted in the original email. > > /opt/fedora-ds/setup/setup -s -f silent.inf > > After running that command, I do not have a 'start-admin' to run and > there are no configuration files. > Were there any errors from setup? There is no /opt/fedora-ds/start-admin? Are there any config files in /opt/fedora-ds/admin-serv/config? > > > ---------- Forwarded message ---------- > From: FAUCONNIER Valery AWL-IT > Date: Tue, Apr 8, 2008 at 3:45 AM > Subject: RE: [Fedora-directory-users] Having problems with the Admin Console > To: "General discussion list for the Fedora Directory server project." > > > > try this : > > run command as root > > 1) make sure that PATH to java is known > 2) cd /opt/fedora-ds > 3) ./start-admin (if you have warning when starting, there are > configuration files httpd server located in > /opt/fedora-ds/console.conf ) > 4) ./startconsole -u admin -a http://blue.ds.server.com:23611/ > or ./startconsole -u admin -a http://10.105.1.188:23611/ > > > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Eric > Brown > Sent: Monday 7 April 2008 23:14 > To: fedora-directory-users at redhat.com > Subject: [Fedora-directory-users] Having problems with the Admin Console > > > I am using FDS 1.0.4, installing from the RPM downloaded from the FDS > website for RHEL4 > > I used the silent install to setup the directory with the following > information: > > [General] > FullMachineName= blue.ds.server.com > ConfigDirectoryLdapURL= ldap://blue.ds.server.com:389/ > SuiteSpotUserID= ldap > SuitespotGroup= ldap > ConfigDirectoryAdminID= admin > ConfigDirectoryAdminPwd= secret1234 > ServerRoot= /opt/fedora-ds > Components= svrcore,base,slapd,admin,nsperl,perldap > AdminDomain= ds.server.com > > [slapd] > Components= slapd,slapd-client > ServerPort= 389 > ServerIdentifier= grid-identity > Suffix= dc=blue,dc=com > RootDN= cn=Directory Manager > RootDNPwd= 1apple > > [admin] > SysUser= ldap > Port= 23611 > ServerIpAddress= 10.105.1.188 > ServerAdminID= admin > ServerAdminPwd= secret1234 > Components= admin,admin-client > > [base] > Components= base,base-client,base-jre > > [nsperl] > Components= nsperl > > [perlldap] > Components= perlldap14 > > The silent installation completed, and I can start the slapd server, > but all of the files I have seen referenced to starting the admin > server are not in my installation. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > Atos Worldline SA/NV - Chaussee de Haecht 1442 Haachtsesteenweg > - 1130 Brussels - Belgium > RPM-RPR Bruxelles-Brussel - TVA-BTW BE 0418.547.872 > Bankrekening-Compte Bancaire-Bank Account 310-0269424-44 > BIC BBRUBEBB - IBAN BE55 3100 2694 2444 > > "The information contained in this e-mail and any attachment thereto > is confidential and may contain information which is protected by > intellectual property rights. > This information is intended for the exclusive use of the > recipient(s) named above. > This e-mail does not constitute any binding relationship or offer > toward any of the addressees. > If you are not one of the addressees , one of their employees or a > proxy holder entitled to hand over this message to the addressee(s), > any use of the information contained herein (e.g. reproduction, > divulgation, communication or distribution,...) is prohibited. > If you have received this message in error, please notify the sender > and destroy it immediately after. > The integrity and security of this message cannot be guaranteed and > it may be subject to data corruption, interception and unauthorized > amendment, for which we accept no liability." > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From valery.fauconnier at atosorigin.com Tue Apr 8 15:09:21 2008 From: valery.fauconnier at atosorigin.com (FAUCONNIER Valery AWL-IT) Date: Tue, 8 Apr 2008 17:09:21 +0200 Subject: [Fedora-directory-users] Having problems with the Admin Console In-Reply-To: Message-ID: <8B50AA62C37CB448A36B5076F9AB0E380122F2AB@eri.winad.be> my start-admin file looks like : #!/bin/sh # BEGIN COPYRIGHT BLOCK # Copyright (C) 2001 Sun Microsystems, Inc. Used by permission. # Copyright (C) 2005 Red Hat, Inc. # All rights reserved. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. # # END COPYRIGHT BLOCK # This script sets up the environment for the httpd server and starts it. # There are two parameters which must be replaced - sroot and httpd # for httpd, on RHEL, this will typically be something like /usr/sbin/httpd.worker # On HP-UX, this may be /opt/hpws/apache/bin/httpd. SERVER_ROOT=/opt/fedora-ds ; export SERVER_ROOT NETSITE_ROOT=$SERVER_ROOT ; export NETSITE_ROOT ADMSERV_ROOT=$SERVER_ROOT/admin-serv ; export ADMSERV_ROOT unset PASSWORD_PIPE LD_LIBRARY_PATH=${SERVER_ROOT}/bin/admin/lib:${SERVER_ROOT}/lib:${LD_LIBRARY_PATH};export LD_LIBRARY_PATH LIBPATH=${LD_LIBRARY_PATH}:${LIBPATH}:/usr/threads/lib:/usr/ibmcxx/lib:/usr/lib:/lib; export LIBPATH SHLIB_PATH=${LD_LIBRARY_PATH}:${SHLIB_PATH}; export SHLIB_PATH NS_SERVER_HOME=${SERVER_ROOT}; export NS_SERVER_HOME PATH=${SERVER_ROOT}/bin/admin/bin:${PATH}; export PATH HTTPD=/usr/sbin//httpd.worker # see if httpd is linked with the openldap libraries - we need to override them OS=`uname -s` if [ $OS = "Linux" ]; then hasol=0 /usr/bin/ldd $HTTPD 2>&1 | grep libldap > /dev/null 2>&1 && hasol=1 if [ $hasol -eq 1 ] ; then LD_PRELOAD="${SERVER_ROOT}/bin/admin/lib/libssl3.so ${SERVER_ROOT}/bin/admin/lib/libldap60.so" else # RHEL3 needs this in order to resolve the libldap60 SASL dependency LD_PRELOAD="${SERVER_ROOT}/bin/admin/lib/libldap60.so" fi export LD_PRELOAD fi $HTTPD -k start -d $ADMSERV_ROOT -f $ADMSERV_ROOT/config/httpd.conf "$@" *************************************************************** stop-admin looks like : [root at dwlpsys01 fedora-ds]# cat stop-admin #!/bin/sh # BEGIN COPYRIGHT BLOCK # Copyright (C) 2001 Sun Microsystems, Inc. Used by permission. # Copyright (C) 2005 Red Hat, Inc. # All rights reserved. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. # # END COPYRIGHT BLOCK SERVER_ROOT=/opt/fedora-ds ; export SERVER_ROOT ADMSERV_ROOT=$SERVER_ROOT/admin-serv ; export ADMSERV_ROOT PID_FILE=$ADMSERV_ROOT/logs/pid if test -f $PID_FILE ; then kill -TERM -`cat $PID_FILE` if test $? -ne 0 ; then exit 1 fi else echo server not running exit 1 fi loop_counter=1 max_count=30 while test $loop_counter -le $max_count; do loop_counter=`expr $loop_counter + 1` if test -f $PID_FILE ; then sleep 2 else exit 0 fi done echo server not responding to exit command echo killing process group kill -9 -`cat $PID_FILE` rm $PID_FILE exit 1 *********************************************************** restart-admin looks like : #!/bin/sh # BEGIN COPYRIGHT BLOCK # Copyright (C) 2001 Sun Microsystems, Inc. Used by permission. # Copyright (C) 2005 Red Hat, Inc. # All rights reserved. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. # # END COPYRIGHT BLOCK SERVER_ROOT=/opt/fedora-ds ; export SERVER_ROOT $SERVER_ROOT/stop-admin sleep 3 $SERVER_ROOT/start-admin -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Eric Brown Sent: Tuesday 8 April 2008 17:03 To: fedora-directory-users at redhat.com Subject: Re: [Fedora-directory-users] Having problems with the Admin Console I ran the following command to set up my server, where silent.inf is the file that I posted in the original email. /opt/fedora-ds/setup/setup -s -f silent.inf After running that command, I do not have a 'start-admin' to run and there are no configuration files. ---------- Forwarded message ---------- From: FAUCONNIER Valery AWL-IT Date: Tue, Apr 8, 2008 at 3:45 AM Subject: RE: [Fedora-directory-users] Having problems with the Admin Console To: "General discussion list for the Fedora Directory server project." try this : run command as root 1) make sure that PATH to java is known 2) cd /opt/fedora-ds 3) ./start-admin (if you have warning when starting, there are configuration files httpd server located in /opt/fedora-ds/console.conf ) 4) ./startconsole -u admin -a http://blue.ds.server.com:23611/ or ./startconsole -u admin -a http://10.105.1.188:23611/ -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Eric Brown Sent: Monday 7 April 2008 23:14 To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] Having problems with the Admin Console I am using FDS 1.0.4, installing from the RPM downloaded from the FDS website for RHEL4 I used the silent install to setup the directory with the following information: [General] FullMachineName= blue.ds.server.com ConfigDirectoryLdapURL= ldap://blue.ds.server.com:389/ SuiteSpotUserID= ldap SuitespotGroup= ldap ConfigDirectoryAdminID= admin ConfigDirectoryAdminPwd= secret1234 ServerRoot= /opt/fedora-ds Components= svrcore,base,slapd,admin,nsperl,perldap AdminDomain= ds.server.com [slapd] Components= slapd,slapd-client ServerPort= 389 ServerIdentifier= grid-identity Suffix= dc=blue,dc=com RootDN= cn=Directory Manager RootDNPwd= 1apple [admin] SysUser= ldap Port= 23611 ServerIpAddress= 10.105.1.188 ServerAdminID= admin ServerAdminPwd= secret1234 Components= admin,admin-client [base] Components= base,base-client,base-jre [nsperl] Components= nsperl [perlldap] Components= perlldap14 The silent installation completed, and I can start the slapd server, but all of the files I have seen referenced to starting the admin server are not in my installation. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users Atos Worldline SA/NV - Chaussee de Haecht 1442 Haachtsesteenweg - 1130 Brussels - Belgium RPM-RPR Bruxelles-Brussel - TVA-BTW BE 0418.547.872 Bankrekening-Compte Bancaire-Bank Account 310-0269424-44 BIC BBRUBEBB - IBAN BE55 3100 2694 2444 "The information contained in this e-mail and any attachment thereto is confidential and may contain information which is protected by intellectual property rights. This information is intended for the exclusive use of the recipient(s) named above. This e-mail does not constitute any binding relationship or offer toward any of the addressees. If you are not one of the addressees , one of their employees or a proxy holder entitled to hand over this message to the addressee(s), any use of the information contained herein (e.g. reproduction, divulgation, communication or distribution,...) is prohibited. If you have received this message in error, please notify the sender and destroy it immediately after. The integrity and security of this message cannot be guaranteed and it may be subject to data corruption, interception and unauthorized amendment, for which we accept no liability." -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From playactor at gmail.com Tue Apr 8 18:16:06 2008 From: playactor at gmail.com (Eric Brown) Date: Tue, 8 Apr 2008 13:16:06 -0500 Subject: Fwd: [Fedora-directory-users] Having problems with the Admin Console In-Reply-To: <47FB8A10.1050201@redhat.com> References: <8B50AA62C37CB448A36B5076F9AB0E380122F2A4@eri.winad.be> <47FB8A10.1050201@redhat.com> Message-ID: I am running the silent install through a perl script that I have written, I wasn't getting any errors back to the script, but it looks like that was just because I wasn't checking for them. I ran the install from the command line and this is what printed out: INFO Begin Setup . . . [slapd-grid-identity]: starting up server ... [slapd-grid-identity]: Fedora-Directory/1.0.4 B2006.312.435 [slapd-grid-identity]: blue.ds.server.com:389 (/opt/fedora-ds/slapd-grid-identity) [slapd-grid-identity]: [slapd-grid-identity]: [08/Apr/2008:13:06:51 -0500] - Fedora-Directory/1.0.4 B2006.312.435 starting up [slapd-grid-identity]: [08/Apr/2008:13:06:55 -0500] - slapd started. Listening on All Interfaces port 389 for LDAP requests Your new directory server has been started. Created new Directory Server Start Slapd Starting Slapd server configuration. Fatal Slapd ERROR: Ldap authentication failed for url ldap://blue.ds.server.com:389/o=NetscapeRoot user id admin (153:Unknown error.) Fatal Slapd Did not add Directory Server information to Configuration Server. Configuring Administration Server... InstallInfo: Apache Directory "ApacheDir" is missing. What is the problem with admin? I did not see "ApacheDir" anywhere in the Directives listing in the instructions for the silent install. ---------- Forwarded message ---------- From: Rich Megginson Date: Tue, Apr 8, 2008 at 10:06 AM Subject: Re: [Fedora-directory-users] Having problems with the Admin Console To: "General discussion list for the Fedora Directory server project." Eric Brown wrote: > I ran the following command to set up my server, where silent.inf is > the file that I posted in the original email. > > /opt/fedora-ds/setup/setup -s -f silent.inf > > After running that command, I do not have a 'start-admin' to run and > there are no configuration files. > > Were there any errors from setup? There is no /opt/fedora-ds/start-admin? Are there any config files in /opt/fedora-ds/admin-serv/config? > > > ---------- Forwarded message ---------- > From: FAUCONNIER Valery AWL-IT > Date: Tue, Apr 8, 2008 at 3:45 AM > Subject: RE: [Fedora-directory-users] Having problems with the Admin Console > To: "General discussion list for the Fedora Directory server project." > > > > try this : > > run command as root > > 1) make sure that PATH to java is known > 2) cd /opt/fedora-ds > 3) ./start-admin (if you have warning when starting, there are > configuration files httpd server located in > /opt/fedora-ds/console.conf ) > 4) ./startconsole -u admin -a http://blue.ds.server.com:23611/ > or ./startconsole -u admin -a http://10.105.1.188:23611/ > > > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Eric > Brown > Sent: Monday 7 April 2008 23:14 > To: fedora-directory-users at redhat.com > Subject: [Fedora-directory-users] Having problems with the Admin Console > > > I am using FDS 1.0.4, installing from the RPM downloaded from the FDS > website for RHEL4 > > I used the silent install to setup the directory with the following > information: > > [General] > FullMachineName= blue.ds.server.com > ConfigDirectoryLdapURL= ldap://blue.ds.server.com:389/ > SuiteSpotUserID= ldap > SuitespotGroup= ldap > ConfigDirectoryAdminID= admin > ConfigDirectoryAdminPwd= secret1234 > ServerRoot= /opt/fedora-ds > Components= svrcore,base,slapd,admin,nsperl,perldap > AdminDomain= ds.server.com > > [slapd] > Components= slapd,slapd-client > ServerPort= 389 > ServerIdentifier= grid-identity > Suffix= dc=blue,dc=com > RootDN= cn=Directory Manager > RootDNPwd= 1apple > > [admin] > SysUser= ldap > Port= 23611 > ServerIpAddress= 10.105.1.188 > ServerAdminID= admin > ServerAdminPwd= secret1234 > Components= admin,admin-client > > [base] > Components= base,base-client,base-jre > > [nsperl] > Components= nsperl > > [perlldap] > Components= perlldap14 > > The silent installation completed, and I can start the slapd server, > but all of the files I have seen referenced to starting the admin > server are not in my installation. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > Atos Worldline SA/NV - Chaussee de Haecht 1442 Haachtsesteenweg > - 1130 Brussels - Belgium > RPM-RPR Bruxelles-Brussel - TVA-BTW BE 0418.547.872 > Bankrekening-Compte Bancaire-Bank Account 310-0269424-44 > BIC BBRUBEBB - IBAN BE55 3100 2694 2444 > > "The information contained in this e-mail and any attachment thereto > is confidential and may contain information which is protected by > intellectual property rights. > This information is intended for the exclusive use of the > recipient(s) named above. > This e-mail does not constitute any binding relationship or offer > toward any of the addressees. > If you are not one of the addressees , one of their employees or a > proxy holder entitled to hand over this message to the addressee(s), > any use of the information contained herein (e.g. reproduction, > divulgation, communication or distribution,...) is prohibited. > If you have received this message in error, please notify the sender > and destroy it immediately after. > The integrity and security of this message cannot be guaranteed and > it may be subject to data corruption, interception and unauthorized > amendment, for which we accept no liability." > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: not available URL: From rmeggins at redhat.com Tue Apr 8 18:30:03 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 08 Apr 2008 12:30:03 -0600 Subject: Fwd: [Fedora-directory-users] Having problems with the Admin Console In-Reply-To: References: <8B50AA62C37CB448A36B5076F9AB0E380122F2A4@eri.winad.be> <47FB8A10.1050201@redhat.com> Message-ID: <47FBB9AB.6070303@redhat.com> Eric Brown wrote: > I am running the silent install through a perl script that I have > written, I wasn't getting any errors back to the script, but it looks > like that was just because I wasn't checking for them. I ran the > install from the command line and this is what printed out: > > INFO Begin Setup . . . > [slapd-grid-identity]: starting up server ... > [slapd-grid-identity]: Fedora-Directory/1.0.4 B2006.312.435 > [slapd-grid-identity]: blue.ds.server.com:389 > (/opt/fedora-ds/slapd-grid-identity) > [slapd-grid-identity]: > [slapd-grid-identity]: [08/Apr/2008:13:06:51 -0500] - > Fedora-Directory/1.0.4 B2006.312.435 starting up > [slapd-grid-identity]: [08/Apr/2008:13:06:55 -0500] - slapd started. > Listening on All Interfaces port 389 for LDAP requests > Your new directory server has been started. > Created new Directory Server > Start Slapd Starting Slapd server configuration. > Fatal Slapd ERROR: Ldap authentication failed for url > ldap://blue.ds.server.com:389/o=NetscapeRoot user id admin > (153:Unknown error.) > Fatal Slapd Did not add Directory Server information to Configuration Server. > Configuring Administration Server... > InstallInfo: Apache Directory "ApacheDir" is missing. > The best way to construct a silent install is to run a regular, interactive setup with the -k option, then grab the /opt/fedora-ds/setup/install.inf file and modify it. > What is the problem with admin? I did not see "ApacheDir" anywhere in > the Directives listing in the instructions for the silent install. > > ---------- Forwarded message ---------- > From: Rich Megginson > Date: Tue, Apr 8, 2008 at 10:06 AM > Subject: Re: [Fedora-directory-users] Having problems with the Admin Console > To: "General discussion list for the Fedora Directory server project." > > > > Eric Brown wrote: > > >> I ran the following command to set up my server, where silent.inf is >> the file that I posted in the original email. >> >> /opt/fedora-ds/setup/setup -s -f silent.inf >> >> After running that command, I do not have a 'start-admin' to run and >> there are no configuration files. >> >> >> > Were there any errors from setup? There is no > /opt/fedora-ds/start-admin? Are there any config files in > /opt/fedora-ds/admin-serv/config? > > > > >> ---------- Forwarded message ---------- >> From: FAUCONNIER Valery AWL-IT >> Date: Tue, Apr 8, 2008 at 3:45 AM >> Subject: RE: [Fedora-directory-users] Having problems with the Admin Console >> To: "General discussion list for the Fedora Directory server project." >> >> >> >> try this : >> >> run command as root >> >> 1) make sure that PATH to java is known >> 2) cd /opt/fedora-ds >> 3) ./start-admin (if you have warning when starting, there are >> configuration files httpd server located in >> /opt/fedora-ds/console.conf ) >> 4) ./startconsole -u admin -a http://blue.ds.server.com:23611/ >> or ./startconsole -u admin -a http://10.105.1.188:23611/ >> >> >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Eric >> Brown >> Sent: Monday 7 April 2008 23:14 >> To: fedora-directory-users at redhat.com >> Subject: [Fedora-directory-users] Having problems with the Admin Console >> >> >> I am using FDS 1.0.4, installing from the RPM downloaded from the FDS >> website for RHEL4 >> >> I used the silent install to setup the directory with the following >> information: >> >> [General] >> FullMachineName= blue.ds.server.com >> ConfigDirectoryLdapURL= ldap://blue.ds.server.com:389/ >> SuiteSpotUserID= ldap >> SuitespotGroup= ldap >> ConfigDirectoryAdminID= admin >> ConfigDirectoryAdminPwd= secret1234 >> ServerRoot= /opt/fedora-ds >> Components= svrcore,base,slapd,admin,nsperl,perldap >> AdminDomain= ds.server.com >> >> [slapd] >> Components= slapd,slapd-client >> ServerPort= 389 >> ServerIdentifier= grid-identity >> Suffix= dc=blue,dc=com >> RootDN= cn=Directory Manager >> RootDNPwd= 1apple >> >> [admin] >> SysUser= ldap >> Port= 23611 >> ServerIpAddress= 10.105.1.188 >> ServerAdminID= admin >> ServerAdminPwd= secret1234 >> Components= admin,admin-client >> >> [base] >> Components= base,base-client,base-jre >> >> [nsperl] >> Components= nsperl >> >> [perlldap] >> Components= perlldap14 >> >> The silent installation completed, and I can start the slapd server, >> but all of the files I have seen referenced to starting the admin >> server are not in my installation. >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> Atos Worldline SA/NV - Chaussee de Haecht 1442 Haachtsesteenweg >> - 1130 Brussels - Belgium >> RPM-RPR Bruxelles-Brussel - TVA-BTW BE 0418.547.872 >> Bankrekening-Compte Bancaire-Bank Account 310-0269424-44 >> BIC BBRUBEBB - IBAN BE55 3100 2694 2444 >> >> "The information contained in this e-mail and any attachment thereto >> is confidential and may contain information which is protected by >> intellectual property rights. >> This information is intended for the exclusive use of the >> recipient(s) named above. >> This e-mail does not constitute any binding relationship or offer >> toward any of the addressees. >> If you are not one of the addressees , one of their employees or a >> proxy holder entitled to hand over this message to the addressee(s), >> any use of the information contained herein (e.g. reproduction, >> divulgation, communication or distribution,...) is prohibited. >> If you have received this message in error, please notify the sender >> and destroy it immediately after. >> The integrity and security of this message cannot be guaranteed and >> it may be subject to data corruption, interception and unauthorized >> amendment, for which we accept no liability." >> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From playactor at gmail.com Tue Apr 8 18:43:44 2008 From: playactor at gmail.com (Eric Brown) Date: Tue, 8 Apr 2008 13:43:44 -0500 Subject: [Fedora-directory-users] Having problems with the Admin Console In-Reply-To: <47FBB9AB.6070303@redhat.com> References: <8B50AA62C37CB448A36B5076F9AB0E380122F2A4@eri.winad.be> <47FB8A10.1050201@redhat.com> <47FBB9AB.6070303@redhat.com> Message-ID: I still can't get past the admin user. There are no users in the database, as far as I know, since it is a clean installation. The setup script just gives me the following: In order to reconfigure your installation, the Configuration Directory Administrator password is required. Here is your current information: Configuration Directory: Configuration Administrator ID: admin At the prompt, please enter the password for the Configuration Administrator. Fedora configuration directory server administrator ID [admin]: passoword: Could not connect to Press any key to continue. ---------- Forwarded message ---------- From: Rich Megginson Date: Tue, Apr 8, 2008 at 1:30 PM Subject: Re: Fwd: [Fedora-directory-users] Having problems with the Admin Console To: "General discussion list for the Fedora Directory server project." Eric Brown wrote: > I am running the silent install through a perl script that I have > written, I wasn't getting any errors back to the script, but it looks > like that was just because I wasn't checking for them. I ran the > install from the command line and this is what printed out: > > INFO Begin Setup . . . > [slapd-grid-identity]: starting up server ... > [slapd-grid-identity]: Fedora-Directory/1.0.4 B2006.312.435 > [slapd-grid-identity]: blue.ds.server.com:389 > (/opt/fedora-ds/slapd-grid-identity) > [slapd-grid-identity]: > [slapd-grid-identity]: [08/Apr/2008:13:06:51 -0500] - > Fedora-Directory/1.0.4 B2006.312.435 starting up > [slapd-grid-identity]: [08/Apr/2008:13:06:55 -0500] - slapd started. > Listening on All Interfaces port 389 for LDAP requests > Your new directory server has been started. > Created new Directory Server > Start Slapd Starting Slapd server configuration. > Fatal Slapd ERROR: Ldap authentication failed for url > ldap://blue.ds.server.com:389/o=NetscapeRoot user id admin > (153:Unknown error.) > Fatal Slapd Did not add Directory Server information to Configuration Server. > Configuring Administration Server... > InstallInfo: Apache Directory "ApacheDir" is missing. > > The best way to construct a silent install is to run a regular, interactive setup with the -k option, then grab the /opt/fedora-ds/setup/install.inf file and modify it. > > > > What is the problem with admin? I did not see "ApacheDir" anywhere in > the Directives listing in the instructions for the silent install. > > ---------- Forwarded message ---------- > From: Rich Megginson > Date: Tue, Apr 8, 2008 at 10:06 AM > Subject: Re: [Fedora-directory-users] Having problems with the Admin Console > To: "General discussion list for the Fedora Directory server project." > > > > Eric Brown wrote: > > > > > I ran the following command to set up my server, where silent.inf is > > the file that I posted in the original email. > > > > /opt/fedora-ds/setup/setup -s -f silent.inf > > > > After running that command, I do not have a 'start-admin' to run and > > there are no configuration files. > > > > > > > > > Were there any errors from setup? There is no > /opt/fedora-ds/start-admin? Are there any config files in > /opt/fedora-ds/admin-serv/config? > > > > > > > ---------- Forwarded message ---------- > > From: FAUCONNIER Valery AWL-IT > > Date: Tue, Apr 8, 2008 at 3:45 AM > > Subject: RE: [Fedora-directory-users] Having problems with the Admin Console > > To: "General discussion list for the Fedora Directory server project." > > > > > > > > try this : > > > > run command as root > > > > 1) make sure that PATH to java is known > > 2) cd /opt/fedora-ds > > 3) ./start-admin (if you have warning when starting, there are > > configuration files httpd server located in > > /opt/fedora-ds/console.conf ) > > 4) ./startconsole -u admin -a http://blue.ds.server.com:23611/ > > or ./startconsole -u admin -a http://10.105.1.188:23611/ > > > > > > > > -----Original Message----- > > From: fedora-directory-users-bounces at redhat.com > > [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Eric > > Brown > > Sent: Monday 7 April 2008 23:14 > > To: fedora-directory-users at redhat.com > > Subject: [Fedora-directory-users] Having problems with the Admin Console > > > > > > I am using FDS 1.0.4, installing from the RPM downloaded from the FDS > > website for RHEL4 > > > > I used the silent install to setup the directory with the following > > information: > > > > [General] > > FullMachineName= blue.ds.server.com > > ConfigDirectoryLdapURL= ldap://blue.ds.server.com:389/ > > SuiteSpotUserID= ldap > > SuitespotGroup= ldap > > ConfigDirectoryAdminID= admin > > ConfigDirectoryAdminPwd= secret1234 > > ServerRoot= /opt/fedora-ds > > Components= svrcore,base,slapd,admin,nsperl,perldap > > AdminDomain= ds.server.com > > > > [slapd] > > Components= slapd,slapd-client > > ServerPort= 389 > > ServerIdentifier= grid-identity > > Suffix= dc=blue,dc=com > > RootDN= cn=Directory Manager > > RootDNPwd= 1apple > > > > [admin] > > SysUser= ldap > > Port= 23611 > > ServerIpAddress= 10.105.1.188 > > ServerAdminID= admin > > ServerAdminPwd= secret1234 > > Components= admin,admin-client > > > > [base] > > Components= base,base-client,base-jre > > > > [nsperl] > > Components= nsperl > > > > [perlldap] > > Components= perlldap14 > > > > The silent installation completed, and I can start the slapd server, > > but all of the files I have seen referenced to starting the admin > > server are not in my installation. > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > Atos Worldline SA/NV - Chaussee de Haecht 1442 Haachtsesteenweg > > - 1130 Brussels - Belgium > > RPM-RPR Bruxelles-Brussel - TVA-BTW BE 0418.547.872 > > Bankrekening-Compte Bancaire-Bank Account 310-0269424-44 > > BIC BBRUBEBB - IBAN BE55 3100 2694 2444 > > > > "The information contained in this e-mail and any attachment thereto > > is confidential and may contain information which is protected by > > intellectual property rights. > > This information is intended for the exclusive use of the > > recipient(s) named above. > > This e-mail does not constitute any binding relationship or offer > > toward any of the addressees. > > If you are not one of the addressees , one of their employees or a > > proxy holder entitled to hand over this message to the addressee(s), > > any use of the information contained herein (e.g. reproduction, > > divulgation, communication or distribution,...) is prohibited. > > If you have received this message in error, please notify the sender > > and destroy it immediately after. > > The integrity and security of this message cannot be guaranteed and > > it may be subject to data corruption, interception and unauthorized > > amendment, for which we accept no liability." > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: not available URL: From rmeggins at redhat.com Tue Apr 8 18:51:23 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 08 Apr 2008 12:51:23 -0600 Subject: [Fedora-directory-users] Having problems with the Admin Console In-Reply-To: References: <8B50AA62C37CB448A36B5076F9AB0E380122F2A4@eri.winad.be> <47FB8A10.1050201@redhat.com> <47FBB9AB.6070303@redhat.com> Message-ID: <47FBBEAB.20303@redhat.com> Eric Brown wrote: > I still can't get past the admin user. There are no users in the > database, as far as I know, since it is a clean installation. > I don't think it is a clean install, based on the output below. > The setup script just gives me the following: > > In order to reconfigure your installation, the Configuration Directory > Administrator password is required. Here is your current information: > > Configuration Directory: > Configuration Administrator ID: admin > > At the prompt, please enter the password for the Configuration Administrator. > The key word here is "reconfigure". > > Fedora configuration directory server > administrator ID [admin]: > passoword: > > Could not connect to > Press any key to continue. > > > > ---------- Forwarded message ---------- > From: Rich Megginson > Date: Tue, Apr 8, 2008 at 1:30 PM > Subject: Re: Fwd: [Fedora-directory-users] Having problems with the > Admin Console > To: "General discussion list for the Fedora Directory server project." > > > > Eric Brown wrote: > > >> I am running the silent install through a perl script that I have >> written, I wasn't getting any errors back to the script, but it looks >> like that was just because I wasn't checking for them. I ran the >> install from the command line and this is what printed out: >> >> INFO Begin Setup . . . >> [slapd-grid-identity]: starting up server ... >> [slapd-grid-identity]: Fedora-Directory/1.0.4 B2006.312.435 >> [slapd-grid-identity]: blue.ds.server.com:389 >> (/opt/fedora-ds/slapd-grid-identity) >> [slapd-grid-identity]: >> [slapd-grid-identity]: [08/Apr/2008:13:06:51 -0500] - >> Fedora-Directory/1.0.4 B2006.312.435 starting up >> [slapd-grid-identity]: [08/Apr/2008:13:06:55 -0500] - slapd started. >> Listening on All Interfaces port 389 for LDAP requests >> Your new directory server has been started. >> Created new Directory Server >> Start Slapd Starting Slapd server configuration. >> Fatal Slapd ERROR: Ldap authentication failed for url >> ldap://blue.ds.server.com:389/o=NetscapeRoot user id admin >> (153:Unknown error.) >> Fatal Slapd Did not add Directory Server information to Configuration Server. >> Configuring Administration Server... >> InstallInfo: Apache Directory "ApacheDir" is missing. >> >> >> > The best way to construct a silent install is to run a regular, > interactive setup with the -k option, then grab the > /opt/fedora-ds/setup/install.inf file and modify it. > > >> >> What is the problem with admin? I did not see "ApacheDir" anywhere in >> the Directives listing in the instructions for the silent install. >> >> ---------- Forwarded message ---------- >> From: Rich Megginson >> Date: Tue, Apr 8, 2008 at 10:06 AM >> Subject: Re: [Fedora-directory-users] Having problems with the Admin Console >> To: "General discussion list for the Fedora Directory server project." >> >> >> >> Eric Brown wrote: >> >> >> >> >>> I ran the following command to set up my server, where silent.inf is >>> the file that I posted in the original email. >>> >>> /opt/fedora-ds/setup/setup -s -f silent.inf >>> >>> After running that command, I do not have a 'start-admin' to run and >>> there are no configuration files. >>> >>> >>> >>> >>> >> Were there any errors from setup? There is no >> /opt/fedora-ds/start-admin? Are there any config files in >> /opt/fedora-ds/admin-serv/config? >> >> >> >> >> >> >>> ---------- Forwarded message ---------- >>> From: FAUCONNIER Valery AWL-IT >>> Date: Tue, Apr 8, 2008 at 3:45 AM >>> Subject: RE: [Fedora-directory-users] Having problems with the Admin Console >>> To: "General discussion list for the Fedora Directory server project." >>> >>> >>> >>> try this : >>> >>> run command as root >>> >>> 1) make sure that PATH to java is known >>> 2) cd /opt/fedora-ds >>> 3) ./start-admin (if you have warning when starting, there are >>> configuration files httpd server located in >>> /opt/fedora-ds/console.conf ) >>> 4) ./startconsole -u admin -a http://blue.ds.server.com:23611/ >>> or ./startconsole -u admin -a http://10.105.1.188:23611/ >>> >>> >>> >>> -----Original Message----- >>> From: fedora-directory-users-bounces at redhat.com >>> [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Eric >>> Brown >>> Sent: Monday 7 April 2008 23:14 >>> To: fedora-directory-users at redhat.com >>> Subject: [Fedora-directory-users] Having problems with the Admin Console >>> >>> >>> I am using FDS 1.0.4, installing from the RPM downloaded from the FDS >>> website for RHEL4 >>> >>> I used the silent install to setup the directory with the following >>> information: >>> >>> [General] >>> FullMachineName= blue.ds.server.com >>> ConfigDirectoryLdapURL= ldap://blue.ds.server.com:389/ >>> SuiteSpotUserID= ldap >>> SuitespotGroup= ldap >>> ConfigDirectoryAdminID= admin >>> ConfigDirectoryAdminPwd= secret1234 >>> ServerRoot= /opt/fedora-ds >>> Components= svrcore,base,slapd,admin,nsperl,perldap >>> AdminDomain= ds.server.com >>> >>> [slapd] >>> Components= slapd,slapd-client >>> ServerPort= 389 >>> ServerIdentifier= grid-identity >>> Suffix= dc=blue,dc=com >>> RootDN= cn=Directory Manager >>> RootDNPwd= 1apple >>> >>> [admin] >>> SysUser= ldap >>> Port= 23611 >>> ServerIpAddress= 10.105.1.188 >>> ServerAdminID= admin >>> ServerAdminPwd= secret1234 >>> Components= admin,admin-client >>> >>> [base] >>> Components= base,base-client,base-jre >>> >>> [nsperl] >>> Components= nsperl >>> >>> [perlldap] >>> Components= perlldap14 >>> >>> The silent installation completed, and I can start the slapd server, >>> but all of the files I have seen referenced to starting the admin >>> server are not in my installation. >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> Atos Worldline SA/NV - Chaussee de Haecht 1442 Haachtsesteenweg >>> - 1130 Brussels - Belgium >>> RPM-RPR Bruxelles-Brussel - TVA-BTW BE 0418.547.872 >>> Bankrekening-Compte Bancaire-Bank Account 310-0269424-44 >>> BIC BBRUBEBB - IBAN BE55 3100 2694 2444 >>> >>> "The information contained in this e-mail and any attachment thereto >>> is confidential and may contain information which is protected by >>> intellectual property rights. >>> This information is intended for the exclusive use of the >>> recipient(s) named above. >>> This e-mail does not constitute any binding relationship or offer >>> toward any of the addressees. >>> If you are not one of the addressees , one of their employees or a >>> proxy holder entitled to hand over this message to the addressee(s), >>> any use of the information contained herein (e.g. reproduction, >>> divulgation, communication or distribution,...) is prohibited. >>> If you have received this message in error, please notify the sender >>> and destroy it immediately after. >>> The integrity and security of this message cannot be guaranteed and >>> it may be subject to data corruption, interception and unauthorized >>> amendment, for which we accept no liability." >>> >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From playactor at gmail.com Tue Apr 8 19:17:45 2008 From: playactor at gmail.com (Eric Brown) Date: Tue, 8 Apr 2008 14:17:45 -0500 Subject: [Fedora-directory-users] Having problems with the Admin Console In-Reply-To: <47FBBEAB.20303@redhat.com> References: <8B50AA62C37CB448A36B5076F9AB0E380122F2A4@eri.winad.be> <47FB8A10.1050201@redhat.com> <47FBB9AB.6070303@redhat.com> <47FBBEAB.20303@redhat.com> Message-ID: Ok, that seemed to have fixed my problems. Thanks for the help. ---------- Forwarded message ---------- From: Rich Megginson Date: Tue, Apr 8, 2008 at 1:51 PM Subject: Re: [Fedora-directory-users] Having problems with the Admin Console To: "General discussion list for the Fedora Directory server project." Eric Brown wrote: > I still can't get past the admin user. There are no users in the > database, as far as I know, since it is a clean installation. > > I don't think it is a clean install, based on the output below. > The setup script just gives me the following: > > In order to reconfigure your installation, the Configuration Directory > Administrator password is required. Here is your current information: > > Configuration Directory: > Configuration Administrator ID: admin > > At the prompt, please enter the password for the Configuration Administrator. > > The key word here is "reconfigure". > > > > > Fedora configuration directory server > administrator ID [admin]: > passoword: > > Could not connect to > Press any key to continue. > > > > ---------- Forwarded message ---------- > From: Rich Megginson > Date: Tue, Apr 8, 2008 at 1:30 PM > Subject: Re: Fwd: [Fedora-directory-users] Having problems with the > Admin Console > To: "General discussion list for the Fedora Directory server project." > > > > Eric Brown wrote: > > > > > I am running the silent install through a perl script that I have > > written, I wasn't getting any errors back to the script, but it looks > > like that was just because I wasn't checking for them. I ran the > > install from the command line and this is what printed out: > > > > INFO Begin Setup . . . > > [slapd-grid-identity]: starting up server ... > > [slapd-grid-identity]: Fedora-Directory/1.0.4 B2006.312.435 > > [slapd-grid-identity]: blue.ds.server.com:389 > > (/opt/fedora-ds/slapd-grid-identity) > > [slapd-grid-identity]: > > [slapd-grid-identity]: [08/Apr/2008:13:06:51 -0500] - > > Fedora-Directory/1.0.4 B2006.312.435 starting up > > [slapd-grid-identity]: [08/Apr/2008:13:06:55 -0500] - slapd started. > > Listening on All Interfaces port 389 for LDAP requests > > Your new directory server has been started. > > Created new Directory Server > > Start Slapd Starting Slapd server configuration. > > Fatal Slapd ERROR: Ldap authentication failed for url > > ldap://blue.ds.server.com:389/o=NetscapeRoot user id admin > > (153:Unknown error.) > > Fatal Slapd Did not add Directory Server information to Configuration Server. > > Configuring Administration Server... > > InstallInfo: Apache Directory "ApacheDir" is missing. > > > > > > > > > The best way to construct a silent install is to run a regular, > interactive setup with the -k option, then grab the > /opt/fedora-ds/setup/install.inf file and modify it. > > > > > > > What is the problem with admin? I did not see "ApacheDir" anywhere in > > the Directives listing in the instructions for the silent install. > > > > ---------- Forwarded message ---------- > > From: Rich Megginson > > Date: Tue, Apr 8, 2008 at 10:06 AM > > Subject: Re: [Fedora-directory-users] Having problems with the Admin Console > > To: "General discussion list for the Fedora Directory server project." > > > > > > > > Eric Brown wrote: > > > > > > > > > > > > > I ran the following command to set up my server, where silent.inf is > > > the file that I posted in the original email. > > > > > > /opt/fedora-ds/setup/setup -s -f silent.inf > > > > > > After running that command, I do not have a 'start-admin' to run and > > > there are no configuration files. > > > > > > > > > > > > > > > > > > > > Were there any errors from setup? There is no > > /opt/fedora-ds/start-admin? Are there any config files in > > /opt/fedora-ds/admin-serv/config? > > > > > > > > > > > > > > > > > ---------- Forwarded message ---------- > > > From: FAUCONNIER Valery AWL-IT > > > Date: Tue, Apr 8, 2008 at 3:45 AM > > > Subject: RE: [Fedora-directory-users] Having problems with the Admin Console > > > To: "General discussion list for the Fedora Directory server project." > > > > > > > > > > > > try this : > > > > > > run command as root > > > > > > 1) make sure that PATH to java is known > > > 2) cd /opt/fedora-ds > > > 3) ./start-admin (if you have warning when starting, there are > > > configuration files httpd server located in > > > /opt/fedora-ds/console.conf ) > > > 4) ./startconsole -u admin -a http://blue.ds.server.com:23611/ > > > or ./startconsole -u admin -a http://10.105.1.188:23611/ > > > > > > > > > > > > -----Original Message----- > > > From: fedora-directory-users-bounces at redhat.com > > > [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Eric > > > Brown > > > Sent: Monday 7 April 2008 23:14 > > > To: fedora-directory-users at redhat.com > > > Subject: [Fedora-directory-users] Having problems with the Admin Console > > > > > > > > > I am using FDS 1.0.4, installing from the RPM downloaded from the FDS > > > website for RHEL4 > > > > > > I used the silent install to setup the directory with the following > > > information: > > > > > > [General] > > > FullMachineName= blue.ds.server.com > > > ConfigDirectoryLdapURL= ldap://blue.ds.server.com:389/ > > > SuiteSpotUserID= ldap > > > SuitespotGroup= ldap > > > ConfigDirectoryAdminID= admin > > > ConfigDirectoryAdminPwd= secret1234 > > > ServerRoot= /opt/fedora-ds > > > Components= svrcore,base,slapd,admin,nsperl,perldap > > > AdminDomain= ds.server.com > > > > > > [slapd] > > > Components= slapd,slapd-client > > > ServerPort= 389 > > > ServerIdentifier= grid-identity > > > Suffix= dc=blue,dc=com > > > RootDN= cn=Directory Manager > > > RootDNPwd= 1apple > > > > > > [admin] > > > SysUser= ldap > > > Port= 23611 > > > ServerIpAddress= 10.105.1.188 > > > ServerAdminID= admin > > > ServerAdminPwd= secret1234 > > > Components= admin,admin-client > > > > > > [base] > > > Components= base,base-client,base-jre > > > > > > [nsperl] > > > Components= nsperl > > > > > > [perlldap] > > > Components= perlldap14 > > > > > > The silent installation completed, and I can start the slapd server, > > > but all of the files I have seen referenced to starting the admin > > > server are not in my installation. > > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > Atos Worldline SA/NV - Chaussee de Haecht 1442 Haachtsesteenweg > > > - 1130 Brussels - Belgium > > > RPM-RPR Bruxelles-Brussel - TVA-BTW BE 0418.547.872 > > > Bankrekening-Compte Bancaire-Bank Account 310-0269424-44 > > > BIC BBRUBEBB - IBAN BE55 3100 2694 2444 > > > > > > "The information contained in this e-mail and any attachment thereto > > > is confidential and may contain information which is protected by > > > intellectual property rights. > > > This information is intended for the exclusive use of the > > > recipient(s) named above. > > > This e-mail does not constitute any binding relationship or offer > > > toward any of the addressees. > > > If you are not one of the addressees , one of their employees or a > > > proxy holder entitled to hand over this message to the addressee(s), > > > any use of the information contained herein (e.g. reproduction, > > > divulgation, communication or distribution,...) is prohibited. > > > If you have received this message in error, please notify the sender > > > and destroy it immediately after. > > > The integrity and security of this message cannot be guaranteed and > > > it may be subject to data corruption, interception and unauthorized > > > amendment, for which we accept no liability." > > > > > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: not available URL: From ggistra at aol.com Tue Apr 8 19:41:51 2008 From: ggistra at aol.com (ggistra at aol.com) Date: Tue, 08 Apr 2008 15:41:51 -0400 Subject: [Fedora-directory-users] certutil Message-ID: <8CA67C7B9CA5AEF-1590-171D@webmail-dd16.sysops.aol.com> Step 5 in section "Using certutil" of the?The Directory Server Administrator's Guide 7.1, Chapter 11, generates?"the encryption key" using the -G option. According to the certutil documentation, this generates a public/private key pair.? What is this key pair used for? It doesn't seem?to be the key used for the self-signed ceritficate or the server certificate, as the -S switch on certutil -??judging by the available options for -S? - appears to generate a new key pair. ? Thanks, Gabi -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Apr 8 19:50:41 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 08 Apr 2008 13:50:41 -0600 Subject: [Fedora-directory-users] certutil In-Reply-To: <8CA67C7B9CA5AEF-1590-171D@webmail-dd16.sysops.aol.com> References: <8CA67C7B9CA5AEF-1590-171D@webmail-dd16.sysops.aol.com> Message-ID: <47FBCC91.8010606@redhat.com> ggistra at aol.com wrote: > > Step 5 in section "Using certutil" of the The Directory Server > Administrator's Guide 7.1, Chapter 11, generates "the encryption key" > using the -G option. According to the certutil documentation, this > generates a public/private key pair. I think it's the encryption key for the self signed CA you are creating. > /What is this key pair used for?/ It doesn't seem to be the key used > for the self-signed ceritficate or the server certificate, as the -S > switch on certutil - judging by the available options for -S - > appears to generate a new key pair. > > Thanks, > Gabi > ------------------------------------------------------------------------ > Get the MapQuest Toolbar > , Maps, > Traffic, Directions & More! > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From master99 at ryuuo.com Tue Apr 8 23:57:15 2008 From: master99 at ryuuo.com (=?ISO-2022-JP?B?GyRCRURDZiEhOS9KPxsoQg==?=) Date: Wed, 09 Apr 2008 08:57:15 +0900 Subject: [Fedora-directory-users] Manage Password Policy Message-ID: <47FC065B.3040209@ryuuo.com> i try to set up fedora ds recentry. so, i have one problem. $ /usr/bin/fedora-idm-console & click Directory Server click Directory tab rigth click on People of left panel Manage Password Policy -> For user... or For subtree select display set field but immediately window widget is all grey color, don't work! but new -> user... group... is good. work fine. so, i try to install jdk1.7.0(IcedTea) or jdk1.6.0_10 or jdk1.6.0_05 or jdk1.5.0_15 but, it's same on jdk1.7.0(IcedTea) or jdk1.6.0_10 or jdk1.6.0_05 OS: fedora6(DELL PowerEdge440) or fedora8(DELL PowerEdge840) both is same problem. From ulf.weltman at hp.com Wed Apr 9 00:28:11 2008 From: ulf.weltman at hp.com (Ulf Weltman) Date: Tue, 08 Apr 2008 17:28:11 -0700 Subject: [Fedora-directory-users] Manage Password Policy In-Reply-To: <47FC065B.3040209@ryuuo.com> References: <47FC065B.3040209@ryuuo.com> Message-ID: <47FC0D9B.60209@hp.com> The input fields, radio buttons, checkboxes and lists in the lower sections should be grayed out until the checkbox at the top labeled "Create subtree level password policy" or "Create user level password policy" has been checked. This checkbox should not be grayed out -- is it? ????? wrote: > i try to set up fedora ds recentry. > so, i have one problem. > > $ /usr/bin/fedora-idm-console & > > click Directory Server > click Directory tab > rigth click on People of left panel > > > Manage Password Policy -> For user... or For subtree select > > display set field but immediately window widget is all grey color, > don't work! > but new -> user... group... is good. work fine. > > > so, i try to install jdk1.7.0(IcedTea) or jdk1.6.0_10 or jdk1.6.0_05 or > jdk1.5.0_15 > > but, it's same on jdk1.7.0(IcedTea) or jdk1.6.0_10 or jdk1.6.0_05 > > > > OS: fedora6(DELL PowerEdge440) or fedora8(DELL PowerEdge840) > > both is same problem. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6097 bytes Desc: S/MIME Cryptographic Signature URL: From chachan at ryuuo.com Tue Apr 8 15:43:22 2008 From: chachan at ryuuo.com (=?ISO-2022-JP?B?GyRCRURDZiEhOS9KPxsoQg==?=) Date: Wed, 09 Apr 2008 00:43:22 +0900 Subject: [Fedora-directory-users] Manage Password Policy Message-ID: <47FB929A.1030805@ryuuo.com> i try to set up fedora ds recentry. so, i have one problem. $ /usr/bin/fedora-idm-console & click Directory Server click Directory tab rigth click on People of left panel Manage Password Policy -> For user... or For subtree select display set field but immediately window widget is all grey color, don't work! but new -> user... group... is good. work fine. so, i try to install jdk1.7.0(IcedTea) or jdk1.6.0_10 or jdk1.6.0_05 or jdk1.5.0_15 but, it's same on jdk1.7.0(IcedTea) or jdk1.6.0_10 or jdk1.6.0_05 OS: fedora6(DELL PowerEdge440) or fedora8(DELL PowerEdge840) both is same problem. From j.barber at dundee.ac.uk Wed Apr 9 17:35:29 2008 From: j.barber at dundee.ac.uk (Jonathan Barber) Date: Wed, 9 Apr 2008 18:35:29 +0100 Subject: [Fedora-directory-users] Manage Password Policy In-Reply-To: <47FB929A.1030805@ryuuo.com> References: <47FB929A.1030805@ryuuo.com> Message-ID: <20080409173529.GE8627@flea.lifesci.dundee.ac.uk> On Wed, Apr 09, 2008 at 12:43:22AM +0900, ????? wrote: > > i try to set up fedora ds recentry. > so, i have one problem. > > $ /usr/bin/fedora-idm-console & > > click Directory Server > click Directory tab > rigth click on People of left panel > > > Manage Password Policy -> For user... or For subtree select > > display set field but immediately window widget is all grey color, > don't work! > but new -> user... group... is good. work fine. I'm not sure I follow, are you trying to right click on an entry then, "Manage Password Policy"->"For user" and is it the "save" button that's greyed out? If so, have you enabled the fine-grained password policy? This is set in the GUI under the "Configuration" tab under the "Password" tab for the "Data" object in the tree. Cheers. > so, i try to install jdk1.7.0(IcedTea) or jdk1.6.0_10 or jdk1.6.0_05 or > jdk1.5.0_15 > > but, it's same on jdk1.7.0(IcedTea) or jdk1.6.0_10 or jdk1.6.0_05 > > > OS: fedora6(DELL PowerEdge440) or fedora8(DELL PowerEdge840) > both is same problem. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 From beyonddc.storage at gmail.com Wed Apr 9 20:03:58 2008 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Wed, 9 Apr 2008 16:03:58 -0400 Subject: [Fedora-directory-users] Preferred authentication mechanism - LDAPS or startTLS Message-ID: <20e4c38c0804091303p6e811e06gca9beef79d2d47ec@mail.gmail.com> Hi group, I'm currently looking into LDAP authentication and would like to know about what is the preferred authentication mechanism. If I want to use TLS for authentication, should I use LDAPS or startTLS? >From my understanding, LDAPS was introduced in LDAPv2 and startTLS is introduced in LDAPv3. I surfed on the Internet, and it appears that startTLS should be deprecating LDAPS but a lot of people are still using LDAPS today. Beside startTLS, what are some other popular LDAP authentication mechanisms that is widely use in today's enterprise world? Thanks! David -------------- next part -------------- An HTML attachment was scrubbed... URL: From gholbert at broadcom.com Wed Apr 9 20:20:25 2008 From: gholbert at broadcom.com (George Holbert) Date: Wed, 09 Apr 2008 13:20:25 -0700 Subject: [Fedora-directory-users] Preferred authentication mechanism - LDAPS or startTLS In-Reply-To: <20e4c38c0804091303p6e811e06gca9beef79d2d47ec@mail.gmail.com> References: <20e4c38c0804091303p6e811e06gca9beef79d2d47ec@mail.gmail.com> Message-ID: <47FD2509.4090508@broadcom.com> Hi David, You're correct that LDAPS is deprecated. I think most people would encourage you to prefer StartTLS. However, you may still want to use LDAPS in your environment depending on what LDAP client applications your service will need to support. Several LDAP client programs still only support LDAPS, or have no support at all for transport layer security. Your particular usage scenario will be the most influential factor. If your LDAP service will be used with a variety of clients, odds are there's at least a few that will only support LDAPS. > Beside startTLS, what are some other popular LDAP authentication > mechanisms that is widely use in today's enterprise world? As far as FDS, check out the following: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL.html http://www.redhat.com/docs/manuals/dir-server/ag/8.0/SASL.html http://directory.fedoraproject.org/wiki/Documentation Chun Tat David Chu wrote: > Hi group, > > I'm currently looking into LDAP authentication and would like to know > about what is the preferred authentication mechanism. If I want to > use TLS for authentication, should I use LDAPS or startTLS? > > From my understanding, LDAPS was introduced in LDAPv2 and startTLS is > introduced in LDAPv3. > > I surfed on the Internet, and it appears that startTLS should be > deprecating LDAPS but a lot of people are still using LDAPS today. > > Beside startTLS, what are some other popular LDAP authentication > mechanisms that is widely use in today's enterprise world? > > Thanks! > > David > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From beyonddc.storage at gmail.com Wed Apr 9 20:28:04 2008 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Wed, 9 Apr 2008 16:28:04 -0400 Subject: [Fedora-directory-users] Preferred authentication mechanism - LDAPS or startTLS In-Reply-To: <47FD2509.4090508@broadcom.com> References: <20e4c38c0804091303p6e811e06gca9beef79d2d47ec@mail.gmail.com> <47FD2509.4090508@broadcom.com> Message-ID: <20e4c38c0804091328q150e1c61ucb36bc5bf80d6c58@mail.gmail.com> Thanks George I agree with you on point you made about the possibility of LDAP clients that only supports LDAPS. I'll look into that more to see if there is a need for LDAPS in my environment. - David On Wed, Apr 9, 2008 at 4:20 PM, George Holbert wrote: > Hi David, > > You're correct that LDAPS is deprecated. I think most people would > encourage you to prefer StartTLS. > However, you may still want to use LDAPS in your environment depending on > what LDAP client applications your service will need to support. Several > LDAP client programs still only support LDAPS, or have no support at all for > transport layer security. Your particular usage scenario will be the most > influential factor. If your LDAP service will be used with a variety of > clients, odds are there's at least a few that will only support LDAPS. > > Beside startTLS, what are some other popular LDAP authentication > > mechanisms that is widely use in today's enterprise world? > > > > As far as FDS, check out the following: > > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL.html > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/SASL.html > http://directory.fedoraproject.org/wiki/Documentation > > > > > Chun Tat David Chu wrote: > > > Hi group, > > > > I'm currently looking into LDAP authentication and would like to know > > about what is the preferred authentication mechanism. If I want to use TLS > > for authentication, should I use LDAPS or startTLS? > > > > From my understanding, LDAPS was introduced in LDAPv2 and startTLS is > > introduced in LDAPv3. > > > > I surfed on the Internet, and it appears that startTLS should be > > deprecating LDAPS but a lot of people are still using LDAPS today. > > > > Beside startTLS, what are some other popular LDAP authentication > > mechanisms that is widely use in today's enterprise world? > > > > Thanks! > > > > David > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From koippa at gmail.com Wed Apr 9 20:45:47 2008 From: koippa at gmail.com (Kimmo Koivisto) Date: Wed, 9 Apr 2008 23:45:47 +0300 Subject: [Fedora-directory-users] Loads of db log files, how to clean Message-ID: <200804092345.47852.koippa@gmail.com> Hello My FDS (1.0.4 in RHEL4) is generating loads of db log files: -rw------- 1 nobody nobody 10M Apr 9 22:32 log.0000011814 -rw------- 1 nobody nobody 10M Apr 9 22:36 log.0000011815 -rw------- 1 nobody nobody 10M Apr 9 22:40 log.0000011816 -rw------- 1 nobody nobody 10M Apr 9 22:44 log.0000011817 -rw------- 1 nobody nobody 10M Apr 9 22:48 log.0000011818 -rw------- 1 nobody nobody 10M Apr 9 22:53 log.0000011819 -rw------- 1 nobody nobody 10M Apr 9 22:57 log.0000011820 -rw------- 1 nobody nobody 10M Apr 9 23:01 log.0000011821 -rw------- 1 nobody nobody 10M Apr 9 23:05 log.0000011822 I just realized that I had unindexed attribute that was searched constantly. I have ~500 entried stored to FDS. Can that cause massive db log files (now 17Gb) and can I just delete those? Or how to do the cleaning? After realizing that the searches were mostly unindexed, I created index entry to the attribute. Regards, Kimmo From michael at stroeder.com Wed Apr 9 22:37:44 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 10 Apr 2008 00:37:44 +0200 Subject: [Fedora-directory-users] Preferred authentication mechanism - LDAPS or startTLS In-Reply-To: <20e4c38c0804091303p6e811e06gca9beef79d2d47ec@mail.gmail.com> References: <20e4c38c0804091303p6e811e06gca9beef79d2d47ec@mail.gmail.com> Message-ID: <47FD4538.6010308@stroeder.com> Chun Tat David Chu wrote: > > I'm currently looking into LDAP authentication and would like to know > about what is the preferred authentication mechanism. If I want to use > TLS for authentication, should I use LDAPS or startTLS? Both are not client authentication mechs if you don't use client certificates. In most deployments the SSL/TLS protocol provides server authentication and an encrypted data communication channel. > I surfed on the Internet, and it appears that startTLS should be > deprecating LDAPS but a lot of people are still using LDAPS today. I'd simply support both. LDAPS has the advantage that you can really mandate that the client must successfully establish an encrypted channel *before* sending any LDAP PDU with possibly confidential information. Ciao, Michael. From edlinuxguru at gmail.com Wed Apr 9 23:14:03 2008 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Wed, 9 Apr 2008 19:14:03 -0400 Subject: [Fedora-directory-users] Preferred authentication mechanism - LDAPS or startTLS In-Reply-To: <47FD4538.6010308@stroeder.com> References: <20e4c38c0804091303p6e811e06gca9beef79d2d47ec@mail.gmail.com> <47FD4538.6010308@stroeder.com> Message-ID: start tls is an extended operation. Your ldap server may not support it. With start TLS part of the conversion happens unencrypted. On Wed, Apr 9, 2008 at 6:37 PM, Michael Str?der wrote: > Chun Tat David Chu wrote: > > > > > I'm currently looking into LDAP authentication and would like to know > about what is the preferred authentication mechanism. If I want to use TLS > for authentication, should I use LDAPS or startTLS? > > > > Both are not client authentication mechs if you don't use client > certificates. In most deployments the SSL/TLS protocol provides server > authentication and an encrypted data communication channel. > > > > > I surfed on the Internet, and it appears that startTLS should be > deprecating LDAPS but a lot of people are still using LDAPS today. > > > > I'd simply support both. LDAPS has the advantage that you can really > mandate that the client must successfully establish an encrypted channel > *before* sending any LDAP PDU with possibly confidential information. > > Ciao, Michael. > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From koippa at gmail.com Thu Apr 10 03:11:10 2008 From: koippa at gmail.com (Kimmo Koivisto) Date: Thu, 10 Apr 2008 06:11:10 +0300 Subject: [Fedora-directory-users] Loads of db log files, how to clean In-Reply-To: <200804092345.47852.koippa@gmail.com> References: <200804092345.47852.koippa@gmail.com> Message-ID: <200804100611.10406.koippa@gmail.com> > Hello > > My FDS (1.0.4 in RHEL4) is generating loads of db log files: >... can I just delete those? Or how to do the > cleaning? > And it seems that it did the cleaning itself, I restarted FDS, it took 45 minutes to start but after that thins seems to be okay :) "[10/Apr/2008:00:02:07 +0300] - Fedora-Directory/1.0.4 B2006.312.435 starting up [10/Apr/2008:00:02:07 +0300] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [10/Apr/2008:00:45:17 +0300] - slapd started. Listening on All Interfaces port 389 for LDAP requests" Regards, Kimmo From beyonddc.storage at gmail.com Thu Apr 10 05:14:05 2008 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Thu, 10 Apr 2008 01:14:05 -0400 Subject: [Fedora-directory-users] Preferred authentication mechanism - LDAPS or startTLS In-Reply-To: References: <20e4c38c0804091303p6e811e06gca9beef79d2d47ec@mail.gmail.com> <47FD4538.6010308@stroeder.com> Message-ID: <20e4c38c0804092214l6f037630t1a2e0551ef3de6f8@mail.gmail.com> >> Both are not client authentication mechs if you don't use client certificates. In most deployments the SSL/TLS protocol provides server authentication and an encrypted data communication channel. >> I'd simply support both. LDAPS has the advantage that you can really mandate that the client must successfully establish an encrypted channel *before* sending any LDAP PDU with possibly confidential information. Thanks for your info. I probably will support both LDAPS and startTLS in my deployment. >> start tls is an extended operation. Your ldap server may not support it. With start TLS part of the conversion happens unencrypted. Yup, fortunely Fedora DS supports startTLS. :-) - David On Wed, Apr 9, 2008 at 7:14 PM, Edward Capriolo wrote: > start tls is an extended operation. Your ldap server may not support > it. With start TLS part of the conversion happens unencrypted. > > On Wed, Apr 9, 2008 at 6:37 PM, Michael Str?der > wrote: > > Chun Tat David Chu wrote: > > > > > > > > I'm currently looking into LDAP authentication and would like to know > > about what is the preferred authentication mechanism. If I want to use > TLS > > for authentication, should I use LDAPS or startTLS? > > > > > > > Both are not client authentication mechs if you don't use client > > certificates. In most deployments the SSL/TLS protocol provides server > > authentication and an encrypted data communication channel. > > > > > > > > > I surfed on the Internet, and it appears that startTLS should be > > deprecating LDAPS but a lot of people are still using LDAPS today. > > > > > > > I'd simply support both. LDAPS has the advantage that you can really > > mandate that the client must successfully establish an encrypted channel > > *before* sending any LDAP PDU with possibly confidential information. > > > > Ciao, Michael. > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abliss at brockport.edu Thu Apr 10 12:40:30 2008 From: abliss at brockport.edu (Aaron Bliss) Date: Thu, 10 Apr 2008 08:40:30 -0400 Subject: [Fedora-directory-users] warnings in /var/log/secure Message-ID: <47FE0ABE.7020303@brockport.edu> Hi everyone, I have several redhat 4 and 5 machines authenticating successfully against our ldap servers. I used authconfig to configure the clients and everything works great, ssh, vsftp, etc. However, for some reason, I always see a log entry similar to the following in /var/log/secure, even though the login works; Apr 10 08:34:27 server1 sshd[30937]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=137.21.80.195 user=user1 Here is the contents of /etc/nsswitch.conf cat /etc/nsswitch.conf | grep -v \# passwd: files ldap shadow: files ldap group: files ldap hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files ldap rpc: files services: files ldap netgroup: files ldap publickey: nisplus automount: files ldap aliases: files nisplus Any ideas? Thanks for your help. Aaron From lysholm at tut.by Thu Apr 10 12:42:19 2008 From: lysholm at tut.by (=?windows-1251?Q?=C5=E3=EE=F0_=C4=F3=E1=E8=ED?=) Date: Thu, 10 Apr 2008 15:42:19 +0300 Subject: [Fedora-directory-users] Question about Fedora DS <-> MS AD Syncing Message-ID: Hi all! First of all, excuse me for my English :/ Not so long ago I've become a sysadmin of a Win2003 AD with ~14000 users and ~120 computers, placed into huge amount of OUs (60 or even more, I think). Since LDAP functions of an AD are seem to be rather poor for me, I've tried to start FDS, everything works fine, but as I've understood, am I to create OUs in FDS by hand??? So, that is a quiestion: is there a way to sync OUs automatically?? ---------- ??? ??????? ???????? HP - ????? HP ? ???????! ?????? ????????? ??????? ????! http://www.cp.com.by/promo.html From glenn at mail.txwes.edu Thu Apr 10 13:10:28 2008 From: glenn at mail.txwes.edu (Glenn) Date: Thu, 10 Apr 2008 08:10:28 -0500 Subject: [Fedora-directory-users] Windows Sync and Posix Message-ID: <20080410130455.M92162@mail.txwes.edu> We are trying to replicate user data between Fedora Directory 1.0.4 and Active Directory using Windows Sync. It works fine until we add the posix objectclass to users in FD. This seems to break replication. Can anyone supply a workaround for this? Thanks. -G. From Dennis.DeMarco at lexisnexis.com Wed Apr 9 19:18:50 2008 From: Dennis.DeMarco at lexisnexis.com (DeMarco, Dennis) Date: Wed, 9 Apr 2008 15:18:50 -0400 Subject: [Fedora-directory-users] LDAP Sync scripts In-Reply-To: <47FBB9AB.6070303@redhat.com> References: <8B50AA62C37CB448A36B5076F9AB0E380122F2A4@eri.winad.be> <47FB8A10.1050201@redhat.com> <47FBB9AB.6070303@redhat.com> Message-ID: <1946415220FCB3408F01DB0A3D91AC6264C6C7@SEISINTMX01> I am wondering if anyone knows of any decent tools to sync between two LDAP servers. I have an older LDAP server that I want to sync some subtrees to a newer one before a switchover. Is there any tools out there that can do this easily? If not I'll have to write something, but trying to be lazy. Thanks, Dennis This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. From beyonddc.storage at gmail.com Thu Apr 10 15:05:15 2008 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Thu, 10 Apr 2008 11:05:15 -0400 Subject: [Fedora-directory-users] certutil In-Reply-To: <47FBCC91.8010606@redhat.com> References: <8CA67C7B9CA5AEF-1590-171D@webmail-dd16.sysops.aol.com> <47FBCC91.8010606@redhat.com> Message-ID: <20e4c38c0804100805v7a11f736m80d57be67792ed19@mail.gmail.com> I posted a similar question on the NSS newsgroup and asked about usage of certutil documented in the RH DS Admin Guide. The response I got is that step 5 in section "using certutil" is a no-op. For detail, please see http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/ae13056d51d189ac - David On Tue, Apr 8, 2008 at 3:50 PM, Rich Megginson wrote: > ggistra at aol.com wrote: > > > > > Step 5 in section "Using certutil" of the The Directory Server > > Administrator's Guide 7.1, Chapter 11, generates "the encryption key" using > > the -G option. According to the certutil documentation, this generates a > > public/private key pair. > > > I think it's the encryption key for the self signed CA you are creating. > > > /What is this key pair used for?/ It doesn't seem to be the key used for > > the self-signed ceritficate or the server certificate, as the -S switch on > > certutil - judging by the available options for -S - appears to generate a > > new key pair. > > Thanks, > > Gabi > > ------------------------------------------------------------------------ > > Get the MapQuest Toolbar < > > http://www.mapquest.com/toolbar?NCID=mpqmap00030000000003>, Maps, > > Traffic, Directions & More! > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From smooge at gmail.com Thu Apr 10 17:21:33 2008 From: smooge at gmail.com (Stephen John Smoogen) Date: Thu, 10 Apr 2008 11:21:33 -0600 Subject: [Fedora-directory-users] warnings in /var/log/secure In-Reply-To: <47FE0ABE.7020303@brockport.edu> References: <47FE0ABE.7020303@brockport.edu> Message-ID: <80d7e4090804101021o5f817c4em72535c9725da278e@mail.gmail.com> On Thu, Apr 10, 2008 at 6:40 AM, Aaron Bliss wrote: > Hi everyone, > I have several redhat 4 and 5 machines authenticating successfully against > our ldap servers. I used authconfig to configure the clients and everything > works great, ssh, vsftp, etc. However, for some reason, I always see a log > entry similar to the following in /var/log/secure, even though the login > works; > Apr 10 08:34:27 server1 sshd[30937]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=137.21.80.195 > user=user1 > > Here is the contents of /etc/nsswitch.conf > cat /etc/nsswitch.conf | grep -v \# > > passwd: files ldap > shadow: files ldap > group: files ldap > hosts: files dns > bootparams: nisplus [NOTFOUND=return] files > ethers: files > netmasks: files > networks: files > protocols: files ldap > rpc: files > services: files ldap > netgroup: files ldap > publickey: nisplus > automount: files ldap > aliases: files nisplus > I think we will need the contents of /etc/pam.d/system-auth for anyone to help . -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" From abliss at brockport.edu Thu Apr 10 18:34:14 2008 From: abliss at brockport.edu (Aaron Bliss) Date: Thu, 10 Apr 2008 14:34:14 -0400 Subject: [Fedora-directory-users] warnings in /var/log/secure In-Reply-To: <80d7e4090804101021o5f817c4em72535c9725da278e@mail.gmail.com> References: <47FE0ABE.7020303@brockport.edu> <80d7e4090804101021o5f817c4em72535c9725da278e@mail.gmail.com> Message-ID: <47FE5DA6.5020505@brockport.edu> An HTML attachment was scrubbed... URL: From cgibbons at tahc.state.tx.us Thu Apr 10 21:25:25 2008 From: cgibbons at tahc.state.tx.us (Carol Gibbons) Date: Thu, 10 Apr 2008 16:25:25 -0500 Subject: [Fedora-directory-users] configuration prob with fedora-idm-console.bat Message-ID: <6.1.2.0.2.20080410162026.02a04b10@tahc.state.tx.us> I've seen where other folks have had this problem with the Windows Admin Console setup and it's perplexing. Any reasons why I can't get this application to launch? It keeps coming up with set your java PATH error. Any help would be appreciated. I have installed JRE 1.6.0_05 Thanks, Carol Here's my fedora-idm-console.bat with my modifications: echo off rem BEGIN COPYRIGHT BLOCK rem Copyright (C) 2005 Red Hat, Inc. rem All rights reserved. rem rem This library is free software; you can redistribute it and/or rem modify it under the terms of the GNU Lesser General Public rem License as published by the Free Software Foundation version rem 2.1 of the License. rem rem This library is distributed in the hope that it will be useful, rem but WITHOUT ANY WARRANTY; without even the implied warranty of rem MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU rem Lesser General Public License for more details. rem rem You should have received a copy of the GNU Lesser General Public rem License along with this library; if not, write to the Free Software rem Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA rem END COPYRIGHT BLOCK rem set the JAVA to use here rem set JAVA= if not "%JAVA%foo"=="foo" goto launch where java > nul 2>&1 || goto findjre set JAVA=C:\Program Files\Java\jre1.6.0_05\bin\java.exe :findjre rem look for Java Runtime Environment in registry reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Runtime Environment" > nul 2>&1 || goto findjdk rem can we grab the java location from the registry? rem set JAVA= rem apparently not, in a batch file rem goto launch echo The Java Runtime Environment is installed on this machine, but the echo command java.exe is not in your PATH. You can either make sure java.exe echo is in the PATH, or edit this script to set JAVA to the full path of echo java.exe pause goto end :findjdk reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Development Kit" > nul 2>&1 || goto nojava rem can we grab the java location from the registry? rem set JAVA= rem goto launch echo The Java Development Kit is installed on this machine, but the echo command java.exe is not in your PATH. You can either make sure java.exe echo is in the PATH, or edit this script to set JAVA to the full path of echo java.exe pause goto end :nojava echo Java does not appear to be installed on this machine. Please download and install the Java Runtime Environment and make sure the java.exe command is in the PATH of this command. pause goto end :launch set BASEPATH=C:\Fedora Identity Management Console set FIDMCONSOLEJARDIR=C:\Fedora Identity Management Console set CONSOLEJARDIR=C:\Fedora Identity Management Console set JSSDIR=C:\Fedora Identity Management Console set LDAPJARDIR=C:\Fedora Identity Management Console set PATH=C:\Fedora Identity Management Console;C:\Program Files\Java\jre1.6.0_05\bin\java.exe rem rem Launch the Console rem echo on "%JAVA%" "-Djava.library.path=%JSSDIR%" -cp "%JSSDIR%\jss4.jar;%LDAPJARDIR%\ldapjdk.jar;%CONSOLEJARDIR%\idm-console-base.jar;%CONSOLEJARDIR%\idm-console-mcc.jar;%CONSOLEJARDIR%\idm-console-mcc_en.jar;%CONSOLEJARDIR%\idm-console-nmclf.jar;%CONSOLEJARDIR%\idm-console-nmclf_en.jar;%FIDMCONSOLEJARDIR%\fedora-idm-console_en.jar" -Djava.util.prefs.systemRoot=%HOME%\.fedora-idm-console -Djava.util.prefs.userRoot=%HOME%\.fedora-idm-console com.netscape.management.client.console.Console %* :end From patrick.morris at hp.com Thu Apr 10 21:28:22 2008 From: patrick.morris at hp.com (Patrick Morris) Date: Thu, 10 Apr 2008 14:28:22 -0700 Subject: [Fedora-directory-users] configuration prob with fedora-idm-console.bat In-Reply-To: <6.1.2.0.2.20080410162026.02a04b10@tahc.state.tx.us> References: <6.1.2.0.2.20080410162026.02a04b10@tahc.state.tx.us> Message-ID: <20080410212822.GU30359@bakgwai.americas.hpqcorp.net> Hi Carol! On Thu, 10 Apr 2008, Carol Gibbons wrote: > I've seen where other folks have had this problem with the Windows Admin > Console setup and it's perplexing. Any reasons why I can't get this > application to launch? It keeps coming up with set your java PATH error. See this part?: > rem set the JAVA to use here > rem set JAVA= Do that. :) From smooge at gmail.com Thu Apr 10 22:49:49 2008 From: smooge at gmail.com (Stephen John Smoogen) Date: Thu, 10 Apr 2008 16:49:49 -0600 Subject: [Fedora-directory-users] warnings in /var/log/secure In-Reply-To: <47FE5DA6.5020505@brockport.edu> References: <47FE0ABE.7020303@brockport.edu> <80d7e4090804101021o5f817c4em72535c9725da278e@mail.gmail.com> <47FE5DA6.5020505@brockport.edu> Message-ID: <80d7e4090804101549o250b2164vd8862b9fcb84caa7@mail.gmail.com> On Thu, Apr 10, 2008 at 12:34 PM, Aaron Bliss wrote: > > Thanks for getting back to me. Here is /etc/pam.d/system-auth > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass Ok I see that we have hand changed the above line to: auth sufficient pam_unix.so likeauth nullok nodelay ..... same lines deleted. > > session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 Don't have the above line Our basic ldap.conf is the following.. I changed the o= and ou= egrep -v '^$|^[[:space:]]*$|^\#' /etc/ldap.conf base o=ZiaUniversity,c=US uri ldaps://ldap.ziauniversity.edu/ binddn uid=l33tdude,ou=GodsPeeps,o=ZiaUniversity,c=US bindpw XXXXXXXXXXXX timelimit 120 bind_timelimit 10 bind_policy soft idle_timelimit 3600 nss_base_netgroup ou=Dudes,o=University of New Mexico,c=US?one pam_password md5 nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon ssl on tls_cacertdir /etc/openldap/cacerts If you have a 'host ldap.uni.edu' it may try to do a non SSL connection first and fail and then a SSL one. > > > Stephen John Smoogen wrote: > On Thu, Apr 10, 2008 at 6:40 AM, Aaron Bliss wrote: > > > Hi everyone, > I have several redhat 4 and 5 machines authenticating successfully against > our ldap servers. I used authconfig to configure the clients and everything > works great, ssh, vsftp, etc. However, for some reason, I always see a log > entry similar to the following in /var/log/secure, even though the login > works; > Apr 10 08:34:27 server1 sshd[30937]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=137.21.80.195 > user=user1 > > Here is the contents of /etc/nsswitch.conf > cat /etc/nsswitch.conf | grep -v \# > > passwd: files ldap > shadow: files ldap > group: files ldap > hosts: files dns > bootparams: nisplus [NOTFOUND=return] files > ethers: files > netmasks: files > networks: files > protocols: files ldap > rpc: files > services: files ldap > netgroup: files ldap > publickey: nisplus > automount: files ldap > aliases: files nisplus > > > I think we will need the contents of /etc/pam.d/system-auth for anyone to > help . > > > > > > -- > Aaron Bliss > Systems Administrator > SUNY Brockport > (585) 395-2417 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" From master99 at ryuuo.com Fri Apr 11 03:33:14 2008 From: master99 at ryuuo.com (K.Tanaka) Date: Fri, 11 Apr 2008 12:33:14 +0900 Subject: [Fedora-directory-users] Manage Password Policy In-Reply-To: <20080409173529.GE8627@flea.lifesci.dundee.ac.uk> References: <47FB929A.1030805@ryuuo.com> <20080409173529.GE8627@flea.lifesci.dundee.ac.uk> Message-ID: <47FEDBFA.2080905@ryuuo.com> THANKS but, $ java -version java version "1.6.0_05" Java(TM) SE Runtime Environment (build 1.6.0_05-b13) Java HotSpot(TM) Client VM (build 10.0-b19, mixed mode) In case, "Manage Password Policy"->"For user"......"close button" only jdk1.7.0(IcedTea) In case, "Manage Password Policy"->"For user"...... not appearance For user title Jonathan Barber ????????: > On Wed, Apr 09, 2008 at 12:43:22AM +0900, ????? wrote: > >> i try to set up fedora ds recentry. >> so, i have one problem. >> >> $ /usr/bin/fedora-idm-console & >> >> click Directory Server >> click Directory tab >> rigth click on People of left panel >> >> >> Manage Password Policy -> For user... or For subtree select >> >> display set field but immediately window widget is all grey color, >> don't work! >> but new -> user... group... is good. work fine. >> > > I'm not sure I follow, are you trying to right click on an entry then, > "Manage Password Policy"->"For user" and is it the "save" button that's > greyed out? > > If so, have you enabled the fine-grained password policy? This is set in > the GUI under the "Configuration" tab under the "Password" tab for the > "Data" object in the tree. > > Cheers. > > >> so, i try to install jdk1.7.0(IcedTea) or jdk1.6.0_10 or jdk1.6.0_05 or >> jdk1.5.0_15 >> >> but, it's same on jdk1.7.0(IcedTea) or jdk1.6.0_10 or jdk1.6.0_05 >> >> >> OS: fedora6(DELL PowerEdge440) or fedora8(DELL PowerEdge840) >> both is same problem. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- --------------------------------------------------- (?)?? ?? ?? mail: chachan at ryuuo.com --------------------------------------------------- From ecjbosu at aol.com Fri Apr 11 04:57:25 2008 From: ecjbosu at aol.com (Joe Byers) Date: Thu, 10 Apr 2008 23:57:25 -0500 Subject: [Fedora-directory-users] Fedora-idm-console does not accept password Message-ID: <1207889845.17526.3.camel@financialseal.localdomain> I installed FDS 1.1 the other day on my redhat EL5 server. Tested the system and it seem to be working. When I execute fedora-idm-console -D 9 -a https://financialseal:9380 -f console.log the console window locks on the password field. Tab does not work, enter does not work, nothing. The OK button stays disabled. The other fields are fine. I think it has something to do with my java version. I have tried every one from 1.4.2 (ibm/bea) through 1.6 (bea/sun) I can access the DS using the windows tool on my XP box, login in, and browse to all tabs. I can log in to the DS using my browser on both my server, my xp box, and my other linux computer here at home. Only on my server does this error occur. my console.log dump is below. Any suggestions would be greatly appreciated. Thank you in advance. java.util.prefs.userRoot=/root/.fedora-idm-console java.runtime.name=Java(TM) SE Runtime Environment sun.boot.library.path=/usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/i386 java.vm.version=10.0-b19 java.vm.vendor=Sun Microsystems Inc. java.vendor.url=http://java.sun.com/ path.separator=: java.vm.name=Java HotSpot(TM) Server VM file.encoding.pkg=sun.io sun.java.launcher=SUN_STANDARD user.country=US sun.os.patch.level=unknown java.vm.specification.name=Java Virtual Machine Specification user.dir=/root java.runtime.version=1.6.0_05-b13 java.awt.graphicsenv=sun.awt.X11GraphicsEnvironment java.endorsed.dirs=/usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/endorsed os.arch=i386 java.io.tmpdir=/tmp line.separator= java.vm.specification.vendor=Sun Microsystems Inc. os.name=Linux sun.jnu.encoding=UTF-8 java.library.path=/usr/lib java.specification.name=Java Platform API Specification java.class.version=50.0 sun.management.compiler=HotSpot Tiered Compilers os.version=2.6.18-84.el5PAE user.home=/root user.timezone=America/Chicago java.awt.printerjob=sun.print.PSPrinterJob file.encoding=UTF-8 java.specification.version=1.6 java.class.path=/usr/lib/java/jss4.jar:/usr/share/java/ldapjdk.jar: /usr/share/java/idm-console-base.jar:/usr/share/java/idm-console-mcc.jar: /usr/share/java/idm-console-mcc_en.jar:/usr/share/java/idm-console-nmclf.jar: /usr/share/java/idm-console-nmclf_en.jar: /usr/share/java/fedora-idm-console-1.1.1_en.jar user.name=root java.vm.specification.version=1.0 java.home=/usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre sun.arch.data.model=32 java.util.prefs.systemRoot=/root/.fedora-idm-console user.language=en java.specification.vendor=Sun Microsystems Inc. java.vm.info=mixed mode java.version=1.6.0_05 java.ext.dirs=/usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/ext: /usr/java/packages/lib/ext sun.boot.class.path=/usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/resources.jar: /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/rt.jar: /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/sunrsasign.jar: /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/jsse.jar: /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/jce.jar: /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/charsets.jar: /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/classes java.vendor=Sun Microsystems Inc. file.separator=/ java.vendor.url.bug=http://java.sun.com/cgi-bin/bugreport.cgi sun.io.unicode.encoding=UnicodeLittle sun.cpu.endian=little sun.cpu.isalist= Fedora-Management-Console/1.1.0 B2007.354.1015 RemoteImage: NOT found in cache loader16032330:com/netscape/management/nmclf/icons/Error.gif RemoteImage: Create RemoteImage cache for loader16032330 RemoteImage: NOT found in cache loader16032330:com/netscape/management/nmclf/icons/Inform.gif RemoteImage: NOT found in cache loader16032330:com/netscape/management/nmclf/icons/Warn.gif RemoteImage: NOT found in cache loader16032330:com/netscape/management/nmclf/icons/Question.gif ResourceSet: NOT found in cache loader16032330:com.netscape.management.client.components.components RemoteImage: NOT found in cache loader16032330:com/netscape/management/client/theme/images/logo16.gif RemoteImage: NOT found in cache loader16032330:com/netscape/management/client/theme/images/login.gif ResourceSet: NOT found in cache loader16032330:com.netscape.management.client.util.default ResourceSet: found in cache loader16032330:com.netscape.management.client.util.default JButtonFactory: button width = 54 JButtonFactory: button height = 19 JButtonFactory: button width = 54 JButtonFactory: button height = 19 JButtonFactory: button width = 90 JButtonFactory: button height = 19 JButtonFactory: button width = 90 JButtonFactory: button height = 19 JButtonFactory: button width = 72 JButtonFactory: button height = 19 JButtonFactory: button width = 72 JButtonFactory: button height = 19 JButtonFactory: button width = 54 JButtonFactory: button height = 19 JButtonFactory: button width = 90 JButtonFactory: button width = 72 ResourceSet: found in cache loader16032330:com.netscape.management.client.util.default From del at babel.com.au Fri Apr 11 11:55:45 2008 From: del at babel.com.au (Del) Date: Fri, 11 Apr 2008 21:55:45 +1000 Subject: [Fedora-directory-users] LDAP Sync scripts In-Reply-To: <1946415220FCB3408F01DB0A3D91AC6264C6C7@SEISINTMX01> References: <8B50AA62C37CB448A36B5076F9AB0E380122F2A4@eri.winad.be> <47FB8A10.1050201@redhat.com> <47FBB9AB.6070303@redhat.com> <1946415220FCB3408F01DB0A3D91AC6264C6C7@SEISINTMX01> Message-ID: <47FF51C1.9060403@babel.com.au> DeMarco, Dennis wrote: > I am wondering if anyone knows of any decent tools to sync between two > LDAP servers. > > I have an older LDAP server that I want to sync some subtrees to a newer > one before a switchover. Is there any tools out there that can do this > easily? http://wiki.babel.com.au/index.php?area=Linux_Projects&page=LdapImport Should do the job. It doesn't "maintain sync" if that's what you're after, for that you probably need a meta-directory product of some kind. It does do a one off sync quite nicely though. -- Del Babel Com Australia http://www.babel.com.au/ ph: 02 9966 9476 fax: 02 9906 2864 From rmeggins at redhat.com Fri Apr 11 15:20:21 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 11 Apr 2008 09:20:21 -0600 Subject: [Fedora-directory-users] Fedora-idm-console does not accept password In-Reply-To: <1207889845.17526.3.camel@financialseal.localdomain> References: <1207889845.17526.3.camel@financialseal.localdomain> Message-ID: <47FF81B5.9050708@redhat.com> Joe Byers wrote: > I installed FDS 1.1 the other day on my redhat EL5 server. Did you install using these directions? http://directory.fedoraproject.org/wiki/Download#Enterprise_Linux_5 i386 or x86_64? Looks like i386 based on the console output. > Tested the > system and it seem to be working. When I execute fedora-idm-console -D > 9 -a https://financialseal:9380 -f console.log the console window locks > on the password field. Tab does not work, enter does not work, > nothing. The OK button stays disabled. The other fields are fine. I > think it has something to do with my java version. I have tried every > one from 1.4.2 (ibm/bea) through 1.6 (bea/sun) > We do most all of our testing using IBM JRE 1.5 (i386 or x86_64) - did you try that? > I can access the DS using the windows tool on my XP box, login in, and > browse to all tabs. I can log in to the DS using my browser on both my > server, my xp box, and my other linux computer here at home. > > Only on my server does this error occur. my console.log dump is below. > > Any suggestions would be greatly appreciated. > > Thank you in advance. > > java.util.prefs.userRoot=/root/.fedora-idm-console > java.runtime.name=Java(TM) SE Runtime Environment > sun.boot.library.path=/usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/i386 > java.vm.version=10.0-b19 > java.vm.vendor=Sun Microsystems Inc. > java.vendor.url=http://java.sun.com/ > path.separator=: > java.vm.name=Java HotSpot(TM) Server VM > file.encoding.pkg=sun.io > sun.java.launcher=SUN_STANDARD > user.country=US > sun.os.patch.level=unknown > java.vm.specification.name=Java Virtual Machine Specification > user.dir=/root > java.runtime.version=1.6.0_05-b13 > java.awt.graphicsenv=sun.awt.X11GraphicsEnvironment > java.endorsed.dirs=/usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/endorsed > os.arch=i386 > java.io.tmpdir=/tmp > line.separator= > > java.vm.specification.vendor=Sun Microsystems Inc. > os.name=Linux > sun.jnu.encoding=UTF-8 > java.library.path=/usr/lib > java.specification.name=Java Platform API Specification > java.class.version=50.0 > sun.management.compiler=HotSpot Tiered Compilers > os.version=2.6.18-84.el5PAE > user.home=/root > user.timezone=America/Chicago > java.awt.printerjob=sun.print.PSPrinterJob > file.encoding=UTF-8 > java.specification.version=1.6 > java.class.path=/usr/lib/java/jss4.jar:/usr/share/java/ldapjdk.jar: > /usr/share/java/idm-console-base.jar:/usr/share/java/idm-console-mcc.jar: > /usr/share/java/idm-console-mcc_en.jar:/usr/share/java/idm-console-nmclf.jar: > /usr/share/java/idm-console-nmclf_en.jar: > /usr/share/java/fedora-idm-console-1.1.1_en.jar > user.name=root > java.vm.specification.version=1.0 > java.home=/usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre > sun.arch.data.model=32 > java.util.prefs.systemRoot=/root/.fedora-idm-console > user.language=en > java.specification.vendor=Sun Microsystems Inc. > java.vm.info=mixed mode > java.version=1.6.0_05 > java.ext.dirs=/usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/ext: > /usr/java/packages/lib/ext > sun.boot.class.path=/usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/resources.jar: > /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/rt.jar: > /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/sunrsasign.jar: > /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/jsse.jar: > /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/jce.jar: > /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/charsets.jar: > /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/classes > java.vendor=Sun Microsystems Inc. > file.separator=/ > java.vendor.url.bug=http://java.sun.com/cgi-bin/bugreport.cgi > sun.io.unicode.encoding=UnicodeLittle > sun.cpu.endian=little > sun.cpu.isalist= > Fedora-Management-Console/1.1.0 B2007.354.1015 > RemoteImage: NOT found in cache > loader16032330:com/netscape/management/nmclf/icons/Error.gif > RemoteImage: Create RemoteImage cache for loader16032330 > RemoteImage: NOT found in cache > loader16032330:com/netscape/management/nmclf/icons/Inform.gif > RemoteImage: NOT found in cache > loader16032330:com/netscape/management/nmclf/icons/Warn.gif > RemoteImage: NOT found in cache > loader16032330:com/netscape/management/nmclf/icons/Question.gif > ResourceSet: NOT found in cache > loader16032330:com.netscape.management.client.components.components > RemoteImage: NOT found in cache > loader16032330:com/netscape/management/client/theme/images/logo16.gif > RemoteImage: NOT found in cache > loader16032330:com/netscape/management/client/theme/images/login.gif > ResourceSet: NOT found in cache > loader16032330:com.netscape.management.client.util.default > ResourceSet: found in cache > loader16032330:com.netscape.management.client.util.default > JButtonFactory: button width = 54 > JButtonFactory: button height = 19 > JButtonFactory: button width = 54 > JButtonFactory: button height = 19 > JButtonFactory: button width = 90 > JButtonFactory: button height = 19 > JButtonFactory: button width = 90 > JButtonFactory: button height = 19 > JButtonFactory: button width = 72 > JButtonFactory: button height = 19 > JButtonFactory: button width = 72 > JButtonFactory: button height = 19 > JButtonFactory: button width = 54 > JButtonFactory: button height = 19 > JButtonFactory: button width = 90 > JButtonFactory: button width = 72 > ResourceSet: found in cache > loader16032330:com.netscape.management.client.util.default > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ecjbosu at aol.com Fri Apr 11 21:40:26 2008 From: ecjbosu at aol.com (Joe) Date: Fri, 11 Apr 2008 16:40:26 -0500 Subject: [Fedora-directory-users] Re: Fedora-idm-console does not accept password References: <1207889845.17526.3.camel@financialseal.localdomain> <47FF81B5.9050708@redhat.com> Message-ID: Rich Megginson wrote: > Joe Byers wrote: >> I installed FDS 1.1 the other day on my redhat EL5 server. > Did you install using these directions? > http://directory.fedoraproject.org/wiki/Download#Enterprise_Linux_5 yes very carefully. > > i386 or x86_64? Looks like i386 based on the console output. >> Tested the >> system and it seem to be working. When I execute fedora-idm-console >> -D 9 -a https://financialseal:9380 -f console.log the console window >> locks >> on the password field. Tab does not work, enter does not work, >> nothing. The OK button stays disabled. The other fields are fine. I >> think it has something to do with my java version. I have tried >> every one from 1.4.2 (ibm/bea) through 1.6 (bea/sun) >> > We do most all of our testing using IBM JRE 1.5 (i386 or x86_64) - did > you try that? I thought I had tried them all since I have 3 bea's, 2 ibm's, 2 sun's, and gcj installed. I guess I missed the ibm 1.5. I worked with that version. What is the awt or swing component for the password field that the java application uses that is in the ibm version and not in the sun version? I really appreciate the comment that pointed me in the write place. I can now create a wrapper script to change me java alternative before and after executing the fedora-idm-console application. Thank you again. >> I can access the DS using the windows tool on my XP box, login in, and >> browse to all tabs. I can log in to the DS using my browser on both >> my server, my xp box, and my other linux computer here at home. >> >> Only on my server does this error occur. my console.log dump is >> below. >> >> Any suggestions would be greatly appreciated. >> >> Thank you in advance. >> >> java.util.prefs.userRoot=/root/.fedora-idm-console >> java.runtime.name=Java(TM) SE Runtime Environment >> sun.boot.library.path=/usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/i386 >> java.vm.version=10.0-b19 >> java.vm.vendor=Sun Microsystems Inc. >> java.vendor.url=http://java.sun.com/ >> path.separator=: >> java.vm.name=Java HotSpot(TM) Server VM >> file.encoding.pkg=sun.io >> sun.java.launcher=SUN_STANDARD >> user.country=US >> sun.os.patch.level=unknown >> java.vm.specification.name=Java Virtual Machine Specification >> user.dir=/root >> java.runtime.version=1.6.0_05-b13 >> java.awt.graphicsenv=sun.awt.X11GraphicsEnvironment >> java.endorsed.dirs=/usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/endorsed >> os.arch=i386 >> java.io.tmpdir=/tmp >> line.separator= >> >> java.vm.specification.vendor=Sun Microsystems Inc. >> os.name=Linux >> sun.jnu.encoding=UTF-8 >> java.library.path=/usr/lib >> java.specification.name=Java Platform API Specification >> java.class.version=50.0 >> sun.management.compiler=HotSpot Tiered Compilers >> os.version=2.6.18-84.el5PAE >> user.home=/root >> user.timezone=America/Chicago >> java.awt.printerjob=sun.print.PSPrinterJob >> file.encoding=UTF-8 >> java.specification.version=1.6 >> java.class.path=/usr/lib/java/jss4.jar:/usr/share/java/ldapjdk.jar: >> /usr/share/java/idm-console-base.jar:/usr/share/java/idm-console-mcc.jar: >> /usr/share/java/idm-console-mcc_en.jar:/usr/share/java/idm-console-nmclf.jar: >> /usr/share/java/idm-console-nmclf_en.jar: >> /usr/share/java/fedora-idm-console-1.1.1_en.jar >> user.name=root >> java.vm.specification.version=1.0 >> java.home=/usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre >> sun.arch.data.model=32 >> java.util.prefs.systemRoot=/root/.fedora-idm-console >> user.language=en >> java.specification.vendor=Sun Microsystems Inc. >> java.vm.info=mixed mode >> java.version=1.6.0_05 >> java.ext.dirs=/usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/ext: >> /usr/java/packages/lib/ext >> sun.boot.class.path=/usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/resources.jar: >> /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/rt.jar: >> /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/sunrsasign.jar: >> /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/jsse.jar: >> /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/jce.jar: >> /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/charsets.jar: >> /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/classes >> java.vendor=Sun Microsystems Inc. >> file.separator=/ >> java.vendor.url.bug=http://java.sun.com/cgi-bin/bugreport.cgi >> sun.io.unicode.encoding=UnicodeLittle >> sun.cpu.endian=little >> sun.cpu.isalist= >> Fedora-Management-Console/1.1.0 B2007.354.1015 >> RemoteImage: NOT found in cache >> loader16032330:com/netscape/management/nmclf/icons/Error.gif >> RemoteImage: Create RemoteImage cache for loader16032330 >> RemoteImage: NOT found in cache >> loader16032330:com/netscape/management/nmclf/icons/Inform.gif >> RemoteImage: NOT found in cache >> loader16032330:com/netscape/management/nmclf/icons/Warn.gif >> RemoteImage: NOT found in cache >> loader16032330:com/netscape/management/nmclf/icons/Question.gif >> ResourceSet: NOT found in cache >> loader16032330:com.netscape.management.client.components.components >> RemoteImage: NOT found in cache >> loader16032330:com/netscape/management/client/theme/images/logo16.gif >> RemoteImage: NOT found in cache >> loader16032330:com/netscape/management/client/theme/images/login.gif >> ResourceSet: NOT found in cache >> loader16032330:com.netscape.management.client.util.default >> ResourceSet: found in cache >> loader16032330:com.netscape.management.client.util.default >> JButtonFactory: button width = 54 >> JButtonFactory: button height = 19 >> JButtonFactory: button width = 54 >> JButtonFactory: button height = 19 >> JButtonFactory: button width = 90 >> JButtonFactory: button height = 19 >> JButtonFactory: button width = 90 >> JButtonFactory: button height = 19 >> JButtonFactory: button width = 72 >> JButtonFactory: button height = 19 >> JButtonFactory: button width = 72 >> JButtonFactory: button height = 19 >> JButtonFactory: button width = 54 >> JButtonFactory: button height = 19 >> JButtonFactory: button width = 90 >> JButtonFactory: button width = 72 >> ResourceSet: found in cache >> loader16032330:com.netscape.management.client.util.default >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> From rmeggins at redhat.com Fri Apr 11 23:31:51 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 11 Apr 2008 17:31:51 -0600 Subject: [Fedora-directory-users] Re: Fedora-idm-console does not accept password In-Reply-To: References: <1207889845.17526.3.camel@financialseal.localdomain> <47FF81B5.9050708@redhat.com> Message-ID: <47FFF4E7.1070801@redhat.com> Joe wrote: > Rich Megginson wrote: > > >> Joe Byers wrote: >> >>> I installed FDS 1.1 the other day on my redhat EL5 server. >>> >> Did you install using these directions? >> http://directory.fedoraproject.org/wiki/Download#Enterprise_Linux_5 >> > yes very carefully. > >> i386 or x86_64? Looks like i386 based on the console output. >> >>> Tested the >>> system and it seem to be working. When I execute fedora-idm-console >>> -D 9 -a https://financialseal:9380 -f console.log the console window >>> locks >>> on the password field. Tab does not work, enter does not work, >>> nothing. The OK button stays disabled. The other fields are fine. I >>> think it has something to do with my java version. I have tried >>> every one from 1.4.2 (ibm/bea) through 1.6 (bea/sun) >>> >>> >> We do most all of our testing using IBM JRE 1.5 (i386 or x86_64) - did >> you try that? >> > > I thought I had tried them all since I have 3 bea's, 2 ibm's, 2 sun's, > and gcj installed. I guess I missed the ibm 1.5. I worked with that > version. > > What is the awt or swing component for the password field that the java > application uses that is in the ibm version and not in the sun version? > I'm not sure, and I'm really surprised that it works with ibm 1.5 but neither sun nor bea 1.4. I knew there were issues with 1.6 - this isn't the only one. > I really appreciate the comment that pointed me in the write place. I > can now create a wrapper script to change me java alternative before and > after executing the fedora-idm-console application. > > Thank you again. > > >>> I can access the DS using the windows tool on my XP box, login in, and >>> browse to all tabs. I can log in to the DS using my browser on both >>> my server, my xp box, and my other linux computer here at home. >>> >>> Only on my server does this error occur. my console.log dump is >>> below. >>> >>> Any suggestions would be greatly appreciated. >>> >>> Thank you in advance. >>> >>> java.util.prefs.userRoot=/root/.fedora-idm-console >>> java.runtime.name=Java(TM) SE Runtime Environment >>> sun.boot.library.path=/usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/i386 >>> java.vm.version=10.0-b19 >>> java.vm.vendor=Sun Microsystems Inc. >>> java.vendor.url=http://java.sun.com/ >>> path.separator=: >>> java.vm.name=Java HotSpot(TM) Server VM >>> file.encoding.pkg=sun.io >>> sun.java.launcher=SUN_STANDARD >>> user.country=US >>> sun.os.patch.level=unknown >>> java.vm.specification.name=Java Virtual Machine Specification >>> user.dir=/root >>> java.runtime.version=1.6.0_05-b13 >>> java.awt.graphicsenv=sun.awt.X11GraphicsEnvironment >>> >>> > java.endorsed.dirs=/usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/endorsed > >>> os.arch=i386 >>> java.io.tmpdir=/tmp >>> line.separator= >>> >>> java.vm.specification.vendor=Sun Microsystems Inc. >>> os.name=Linux >>> sun.jnu.encoding=UTF-8 >>> java.library.path=/usr/lib >>> java.specification.name=Java Platform API Specification >>> java.class.version=50.0 >>> sun.management.compiler=HotSpot Tiered Compilers >>> os.version=2.6.18-84.el5PAE >>> user.home=/root >>> user.timezone=America/Chicago >>> java.awt.printerjob=sun.print.PSPrinterJob >>> file.encoding=UTF-8 >>> java.specification.version=1.6 >>> java.class.path=/usr/lib/java/jss4.jar:/usr/share/java/ldapjdk.jar: >>> /usr/share/java/idm-console-base.jar:/usr/share/java/idm-console-mcc.jar: >>> /usr/share/java/idm-console-mcc_en.jar:/usr/share/java/idm-console-nmclf.jar: >>> /usr/share/java/idm-console-nmclf_en.jar: >>> /usr/share/java/fedora-idm-console-1.1.1_en.jar >>> user.name=root >>> java.vm.specification.version=1.0 >>> java.home=/usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre >>> sun.arch.data.model=32 >>> java.util.prefs.systemRoot=/root/.fedora-idm-console >>> user.language=en >>> java.specification.vendor=Sun Microsystems Inc. >>> java.vm.info=mixed mode >>> java.version=1.6.0_05 >>> java.ext.dirs=/usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/ext: >>> /usr/java/packages/lib/ext >>> >>> > sun.boot.class.path=/usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/resources.jar: > >>> /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/rt.jar: >>> /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/sunrsasign.jar: >>> /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/jsse.jar: >>> /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/jce.jar: >>> /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/charsets.jar: >>> /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/classes >>> java.vendor=Sun Microsystems Inc. >>> file.separator=/ >>> java.vendor.url.bug=http://java.sun.com/cgi-bin/bugreport.cgi >>> sun.io.unicode.encoding=UnicodeLittle >>> sun.cpu.endian=little >>> sun.cpu.isalist= >>> Fedora-Management-Console/1.1.0 B2007.354.1015 >>> RemoteImage: NOT found in cache >>> loader16032330:com/netscape/management/nmclf/icons/Error.gif >>> RemoteImage: Create RemoteImage cache for loader16032330 >>> RemoteImage: NOT found in cache >>> loader16032330:com/netscape/management/nmclf/icons/Inform.gif >>> RemoteImage: NOT found in cache >>> loader16032330:com/netscape/management/nmclf/icons/Warn.gif >>> RemoteImage: NOT found in cache >>> loader16032330:com/netscape/management/nmclf/icons/Question.gif >>> ResourceSet: NOT found in cache >>> loader16032330:com.netscape.management.client.components.components >>> RemoteImage: NOT found in cache >>> loader16032330:com/netscape/management/client/theme/images/logo16.gif >>> RemoteImage: NOT found in cache >>> loader16032330:com/netscape/management/client/theme/images/login.gif >>> ResourceSet: NOT found in cache >>> loader16032330:com.netscape.management.client.util.default >>> ResourceSet: found in cache >>> loader16032330:com.netscape.management.client.util.default >>> JButtonFactory: button width = 54 >>> JButtonFactory: button height = 19 >>> JButtonFactory: button width = 54 >>> JButtonFactory: button height = 19 >>> JButtonFactory: button width = 90 >>> JButtonFactory: button height = 19 >>> JButtonFactory: button width = 90 >>> JButtonFactory: button height = 19 >>> JButtonFactory: button width = 72 >>> JButtonFactory: button height = 19 >>> JButtonFactory: button width = 72 >>> JButtonFactory: button height = 19 >>> JButtonFactory: button width = 54 >>> JButtonFactory: button height = 19 >>> JButtonFactory: button width = 90 >>> JButtonFactory: button width = 72 >>> ResourceSet: found in cache >>> loader16032330:com.netscape.management.client.util.default >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ecjbosu at aol.com Sat Apr 12 01:54:56 2008 From: ecjbosu at aol.com (Joe W. Byers) Date: Fri, 11 Apr 2008 20:54:56 -0500 Subject: [Fedora-directory-users] Re: Fedora-idm-console does not accept password In-Reply-To: <47FFF4E7.1070801@redhat.com> References: <1207889845.17526.3.camel@financialseal.localdomain> <47FF81B5.9050708@redhat.com> <47FFF4E7.1070801@redhat.com> Message-ID: <48001670.7030101@aol.com> Rich Megginson wrote: > Joe wrote: >> Rich Megginson wrote: >> >> >>> Joe Byers wrote: >>> >>>> I installed FDS 1.1 the other day on my redhat EL5 server. >>>> >>> Did you install using these directions? >>> http://directory.fedoraproject.org/wiki/Download#Enterprise_Linux_5 >>> >> yes very carefully. >> >>> i386 or x86_64? Looks like i386 based on the console output. >>> >>>> Tested the >>>> system and it seem to be working. When I execute fedora-idm-console >>>> -D 9 -a https://financialseal:9380 -f console.log the console window >>>> locks >>>> on the password field. Tab does not work, enter does not work, >>>> nothing. The OK button stays disabled. The other fields are fine. I >>>> think it has something to do with my java version. I have tried >>>> every one from 1.4.2 (ibm/bea) through 1.6 (bea/sun) >>>> >>> We do most all of our testing using IBM JRE 1.5 (i386 or x86_64) - did >>> you try that? >>> >> >> I thought I had tried them all since I have 3 bea's, 2 ibm's, 2 sun's, >> and gcj installed. I guess I missed the ibm 1.5. I worked with that >> version. >> What is the awt or swing component for the password field that the java >> application uses that is in the ibm version and not in the sun version? >> > I'm not sure, and I'm really surprised that it works with ibm 1.5 but > neither sun nor bea 1.4. I knew there were issues with 1.6 - this isn't > the only one. It does not work with bea 1.5 or 1.6. Strange! It will be figured out one day. I went to sun 1.5 long before ibm or bea 1.5's were release because of several of the new features in them. Made a java project I was working on easier. I also now have both my linux computers operating with FDS, now to get my XP working. Thanx again > >> I really appreciate the comment that pointed me in the write place. I >> can now create a wrapper script to change me java alternative before and >> after executing the fedora-idm-console application. >> >> Thank you again. >> >> >>>> I can access the DS using the windows tool on my XP box, login in, and >>>> browse to all tabs. I can log in to the DS using my browser on both >>>> my server, my xp box, and my other linux computer here at home. >>>> >>>> Only on my server does this error occur. my console.log dump is >>>> below. >>>> >>>> Any suggestions would be greatly appreciated. >>>> >>>> Thank you in advance. >>>> >>>> java.util.prefs.userRoot=/root/.fedora-idm-console >>>> java.runtime.name=Java(TM) SE Runtime Environment >>>> sun.boot.library.path=/usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/i386 >>>> java.vm.version=10.0-b19 >>>> java.vm.vendor=Sun Microsystems Inc. >>>> java.vendor.url=http://java.sun.com/ >>>> path.separator=: >>>> java.vm.name=Java HotSpot(TM) Server VM >>>> file.encoding.pkg=sun.io >>>> sun.java.launcher=SUN_STANDARD >>>> user.country=US >>>> sun.os.patch.level=unknown >>>> java.vm.specification.name=Java Virtual Machine Specification >>>> user.dir=/root >>>> java.runtime.version=1.6.0_05-b13 >>>> java.awt.graphicsenv=sun.awt.X11GraphicsEnvironment >>>> >>>> >> java.endorsed.dirs=/usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/endorsed >> >>>> os.arch=i386 >>>> java.io.tmpdir=/tmp >>>> line.separator= >>>> >>>> java.vm.specification.vendor=Sun Microsystems Inc. >>>> os.name=Linux >>>> sun.jnu.encoding=UTF-8 >>>> java.library.path=/usr/lib >>>> java.specification.name=Java Platform API Specification >>>> java.class.version=50.0 >>>> sun.management.compiler=HotSpot Tiered Compilers >>>> os.version=2.6.18-84.el5PAE >>>> user.home=/root >>>> user.timezone=America/Chicago >>>> java.awt.printerjob=sun.print.PSPrinterJob >>>> file.encoding=UTF-8 >>>> java.specification.version=1.6 >>>> java.class.path=/usr/lib/java/jss4.jar:/usr/share/java/ldapjdk.jar: >>>> /usr/share/java/idm-console-base.jar:/usr/share/java/idm-console-mcc.jar: >>>> >>>> /usr/share/java/idm-console-mcc_en.jar:/usr/share/java/idm-console-nmclf.jar: >>>> >>>> /usr/share/java/idm-console-nmclf_en.jar: >>>> /usr/share/java/fedora-idm-console-1.1.1_en.jar >>>> user.name=root >>>> java.vm.specification.version=1.0 >>>> java.home=/usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre >>>> sun.arch.data.model=32 >>>> java.util.prefs.systemRoot=/root/.fedora-idm-console >>>> user.language=en >>>> java.specification.vendor=Sun Microsystems Inc. >>>> java.vm.info=mixed mode >>>> java.version=1.6.0_05 >>>> java.ext.dirs=/usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/ext: >>>> /usr/java/packages/lib/ext >>>> >>>> >> sun.boot.class.path=/usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/resources.jar: >> >> >>>> /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/rt.jar: >>>> /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/sunrsasign.jar: >>>> /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/jsse.jar: >>>> /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/jce.jar: >>>> /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/lib/charsets.jar: >>>> /usr/lib/jvm/java-1.6.0-sun-1.6.0.5/jre/classes >>>> java.vendor=Sun Microsystems Inc. >>>> file.separator=/ >>>> java.vendor.url.bug=http://java.sun.com/cgi-bin/bugreport.cgi >>>> sun.io.unicode.encoding=UnicodeLittle >>>> sun.cpu.endian=little >>>> sun.cpu.isalist= >>>> Fedora-Management-Console/1.1.0 B2007.354.1015 >>>> RemoteImage: NOT found in cache >>>> loader16032330:com/netscape/management/nmclf/icons/Error.gif >>>> RemoteImage: Create RemoteImage cache for loader16032330 >>>> RemoteImage: NOT found in cache >>>> loader16032330:com/netscape/management/nmclf/icons/Inform.gif >>>> RemoteImage: NOT found in cache >>>> loader16032330:com/netscape/management/nmclf/icons/Warn.gif >>>> RemoteImage: NOT found in cache >>>> loader16032330:com/netscape/management/nmclf/icons/Question.gif >>>> ResourceSet: NOT found in cache >>>> loader16032330:com.netscape.management.client.components.components >>>> RemoteImage: NOT found in cache >>>> loader16032330:com/netscape/management/client/theme/images/logo16.gif >>>> RemoteImage: NOT found in cache >>>> loader16032330:com/netscape/management/client/theme/images/login.gif >>>> ResourceSet: NOT found in cache >>>> loader16032330:com.netscape.management.client.util.default >>>> ResourceSet: found in cache >>>> loader16032330:com.netscape.management.client.util.default >>>> JButtonFactory: button width = 54 >>>> JButtonFactory: button height = 19 >>>> JButtonFactory: button width = 54 >>>> JButtonFactory: button height = 19 >>>> JButtonFactory: button width = 90 >>>> JButtonFactory: button height = 19 >>>> JButtonFactory: button width = 90 >>>> JButtonFactory: button height = 19 >>>> JButtonFactory: button width = 72 >>>> JButtonFactory: button height = 19 >>>> JButtonFactory: button width = 72 >>>> JButtonFactory: button height = 19 >>>> JButtonFactory: button width = 54 >>>> JButtonFactory: button height = 19 >>>> JButtonFactory: button width = 90 >>>> JButtonFactory: button width = 72 >>>> ResourceSet: found in cache >>>> loader16032330:com.netscape.management.client.util.default >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > From aleksander.adamowski.fedora at altkom.pl Mon Apr 14 09:14:08 2008 From: aleksander.adamowski.fedora at altkom.pl (Aleksander Adamowski) Date: Mon, 14 Apr 2008 11:14:08 +0200 Subject: [Fedora-directory-users] defaultsearchbase and empty base dn subtree searches Message-ID: <48032060.4000104@altkom.pl> Hi! I'm migrating from OpenLDAP to Fedora Directory. In the OpenLDAP infrastructure, I had used proxy LDAP servers (the slapd-ldap backend) to direct requests to slapd-bdb backend OpenLDAP instances with failover in case of failure. In addition to that, using the rwm overlay, the slapd-ldap instance did request rewriting of queries that specify empty base dn. The configuration for slapd-ldap instance was: database ldap suffix "" uri "ldap://localhost:392/,ldaps://otherserver:636/" timeout 24 idle-timeout 16 overlay rwm rwm-rewriteEngine on rwm-rewriteContext searchBase rwm-rewriteRule "$" "o=MyDefaultBase" ":" I've read a thread from 2006-02 on this list (https://www.redhat.com/archives/fedora-directory-users/2006-February/msg00108.html) that it's possible to get a similar behaviour on FDS by modifying dse.ldif. I've stopped the FDS instance, modified /etc/dirsrv/slapd-instancename/dse.ldif and started FDS again: dn: objectClass: top objectClass: extensibleObject defaultsearchbase: o=MyDefaultBase aci: (targetattr != "aci")(version 3.0; aci "rootdse anon read access"; allow( read,search,compare) userdn="ldap:///anyone";) creatorsName: cn=server,cn=plugins,cn=config modifiersName: cn=server,cn=plugins,cn=config createTimestamp: 20080411165538Z modifyTimestamp: 20080411165538Z However, it still doesn't return anything when clients search with empty base: # /usr/lib64/mozldap/ldapsearch -b 'o=MyDefaultBase' -s sub uid=olo uid version: 1 dn: uid=olo,ou=People,o=MyDefaultBase uid: olo # /usr/lib64/mozldap/ldapsearch -b '' -s sub uid=olo uid ldap_search: No such object Maybe it's relevant that the host in question takes part in multi-master replication setup of 3 FDS servers. -- Best Regards, Aleksander Adamowski GG#: 274614 ICQ UIN: 19780575 http://olo.org.pl -- Aleksander Adamowski Administrator system?w korporacyjnych; Instruktor Altkom Akademia S.A. http://www.altkom.pl Warszawa, ul. Ch?odna 51 tel. brak kom. +48 601-318-080 S?d Rejonowy dla m.st. Warszawy w Warszawie, XII Wydzia? Gospodarczy Krajowego Rejestru S?dowego, KRS: 0000120139, NIP 118-00-08-391, Kapita? zak?adowy: 1000 000 PLN. Adres rejestrowy Firmy - ul. Stawki 2, 00-193 Warszawa. Niniejsza wiadomo?? zawiera informacje zastrze?one i stanowi?ce tajemnic? przedsi?biorstwa firmy Altkom Akademia S.A. Ujawnianie tych informacji osobom trzecim lub nieuprawnione wykorzystanie ich do w?asnych cel?w jest zabronione. Je?eli otrzymali?cie Pa?stwo niniejsz? wiadomo?? omy?kowo, prosimy o niezw?oczne skontaktowanie si? z nadawc? oraz usuni?cie wszelkich kopii niniejszej wiadomo?ci. This message contains proprietary information and trade secrets of Altkom Akademia S.A. company. Unauthorized use or disclosure of this information to any third party is prohibited. If you received this message by mistake, please contact the sender immediately and delete all copies of this message. From aleksander.adamowski.fedora at altkom.pl Mon Apr 14 09:41:59 2008 From: aleksander.adamowski.fedora at altkom.pl (Aleksander Adamowski) Date: Mon, 14 Apr 2008 11:41:59 +0200 Subject: [Fedora-directory-users] NSPR "Certificate type not approved for application" error when a TLS-enabled proxy LDAP OpenLDAP server connects to Fedora Directory Server Message-ID: <480326E7.5060607@altkom.pl> Hi! I have a proxy OpenLDAP server (based on slapd-ldap) backend that connects to Fedora Directory server. All is fine if OpenLDAP is configured to connect using non-SSL URI without TLS. However, whenever I try TLS on port 389 or SSL on port 636, OpenLDAP uses its server certificate during TLS/SSL negotiation and Fedora Directory decides that this certificate usage isn't good because it's not a client certificate. In FDS logs I can see: [14/Apr/2008:11:33:33 +0200] conn=1474 fd=65 slot=65 SSL connection from IP_OF_OPENLDAP to IP_OF_FDS [14/Apr/2008:11:33:33 +0200] conn=1474 Netscape Portable Runtime error -8101 (Certificate type not approved for application.); unauthenticated client E=some_email,CN=hostname,ETC,ETC,; issuer E=ISSUER_DATA [14/Apr/2008:11:33:33 +0200] conn=1474 op=-1 fd=65 closed - Certificate type not approved for application. Is there a way to relax those requirements in Fedora Directory for this particular case (LDAP client that uses a server certificate)? Like, say some tweaks in nss.conf? -- Best Regards, Aleksander Adamowski GG#: 274614 ICQ UIN: 19780575 http://olo.org.pl -- Aleksander Adamowski Administrator system?w korporacyjnych; Instruktor Altkom Akademia S.A. http://www.altkom.pl Warszawa, ul. Ch?odna 51 tel. brak kom. +48 601-318-080 S?d Rejonowy dla m.st. Warszawy w Warszawie, XII Wydzia? Gospodarczy Krajowego Rejestru S?dowego, KRS: 0000120139, NIP 118-00-08-391, Kapita? zak?adowy: 1000 000 PLN. Adres rejestrowy Firmy - ul. Stawki 2, 00-193 Warszawa. Niniejsza wiadomo?? zawiera informacje zastrze?one i stanowi?ce tajemnic? przedsi?biorstwa firmy Altkom Akademia S.A. Ujawnianie tych informacji osobom trzecim lub nieuprawnione wykorzystanie ich do w?asnych cel?w jest zabronione. Je?eli otrzymali?cie Pa?stwo niniejsz? wiadomo?? omy?kowo, prosimy o niezw?oczne skontaktowanie si? z nadawc? oraz usuni?cie wszelkich kopii niniejszej wiadomo?ci. This message contains proprietary information and trade secrets of Altkom Akademia S.A. company. Unauthorized use or disclosure of this information to any third party is prohibited. If you received this message by mistake, please contact the sender immediately and delete all copies of this message. From michael at stroeder.com Mon Apr 14 12:32:49 2008 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Mon, 14 Apr 2008 14:32:49 +0200 Subject: [Fedora-directory-users] NSPR "Certificate type not approved for application" error when a TLS-enabled proxy LDAP OpenLDAP server connects to Fedora Directory Server In-Reply-To: <480326E7.5060607@altkom.pl> References: <480326E7.5060607@altkom.pl> Message-ID: <48034EF1.1020503@stroeder.com> Aleksander Adamowski wrote: > > However, whenever I try TLS on port 389 or SSL on port 636, OpenLDAP > uses its server certificate during TLS/SSL negotiation and Fedora > Directory decides that this certificate usage isn't good because it's > not a client certificate. In FDS logs I can see: > [..] > [14/Apr/2008:11:33:33 +0200] conn=1474 Netscape Portable Runtime error > -8101 (Certificate type not approved for application.); unauthenticated > client E=some_email,CN=hostname,ETC,ETC,; issuer E=ISSUER_DATA > [14/Apr/2008:11:33:33 +0200] conn=1474 op=-1 fd=65 closed - Certificate > type not approved for application. I guess this is because of wrong X.509v3 cert extensions. Maybe you should post a text dump of the public-key cert. openssl x509 -in certfilename.pem -noout -text Ciao, Michael. From wpfontenot at cox.net Mon Apr 14 13:58:40 2008 From: wpfontenot at cox.net (Paul Fontenot) Date: Mon, 14 Apr 2008 06:58:40 -0700 Subject: [Fedora-directory-users] unsubscribe Message-ID: <000101c89e37$a524a050$ef6de0f0$@net> -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Mon Apr 14 14:22:15 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 14 Apr 2008 16:22:15 +0200 Subject: [Fedora-directory-users] LDAP Sync scripts In-Reply-To: <1946415220FCB3408F01DB0A3D91AC6264C6C7@SEISINTMX01> References: <8B50AA62C37CB448A36B5076F9AB0E380122F2A4@eri.winad.be> <47FB8A10.1050201@redhat.com> <47FBB9AB.6070303@redhat.com> <1946415220FCB3408F01DB0A3D91AC6264C6C7@SEISINTMX01> Message-ID: <48036897.5040604@stroeder.com> DeMarco, Dennis wrote: > > I have an older LDAP server that I want to sync some subtrees to a newer > one before a switchover. Is there any tools out there that can do this > easily? I'd recommend to do a one-step migration since daily/real-time syncing is more work. First try to export the data from the old LDAP server as LDIF and import it to the new one during a test-drive. If it fails then you know how to sanitize the old data before importing it. This can be a simple LDIF import or serious tweaking of the input data. Only you can find out. Ciao, Michael. From rmeggins at redhat.com Mon Apr 14 15:24:32 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 14 Apr 2008 09:24:32 -0600 Subject: [Fedora-directory-users] NSPR "Certificate type not approved for application" error when a TLS-enabled proxy LDAP OpenLDAP server connects to Fedora Directory Server In-Reply-To: <480326E7.5060607@altkom.pl> References: <480326E7.5060607@altkom.pl> Message-ID: <48037730.1070307@redhat.com> Aleksander Adamowski wrote: > Hi! > > I have a proxy OpenLDAP server (based on slapd-ldap) backend that > connects to Fedora Directory server. > > All is fine if OpenLDAP is configured to connect using non-SSL URI > without TLS. > > However, whenever I try TLS on port 389 or SSL on port 636, OpenLDAP > uses its server certificate during TLS/SSL negotiation and Fedora > Directory decides that this certificate usage isn't good because it's > not a client certificate. In FDS logs I can see: > > [14/Apr/2008:11:33:33 +0200] conn=1474 fd=65 slot=65 SSL connection > from IP_OF_OPENLDAP to IP_OF_FDS > [14/Apr/2008:11:33:33 +0200] conn=1474 Netscape Portable Runtime error > -8101 (Certificate type not approved for application.); > unauthenticated client E=some_email,CN=hostname,ETC,ETC,; issuer > E=ISSUER_DATA > [14/Apr/2008:11:33:33 +0200] conn=1474 op=-1 fd=65 closed - > Certificate type not approved for application. > > Is there a way to relax those requirements in Fedora Directory for > this particular case (LDAP client that uses a server certificate)? Do you need to use cert based auth? If not, just configure the application to not use cert. based auth - just use username/password auth over SSL (or TLS). If you must use cert. based auth, you may be able to use the certutil command to change the trust flags of the cert - see certutil -H. See also this page for information about cert. based auth - http://directory.fedoraproject.org/wiki/Howto:CertMapping > Like, say some tweaks in nss.conf? NSS (Netscape^H^H^H^H^Hwork Security Services) for crypto and nss (name switch service - as in nss_ldap) are completely different and unfortunately share the same name. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Apr 14 15:26:02 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 14 Apr 2008 09:26:02 -0600 Subject: [Fedora-directory-users] defaultsearchbase and empty base dn subtree searches In-Reply-To: <48032060.4000104@altkom.pl> References: <48032060.4000104@altkom.pl> Message-ID: <4803778A.8020702@redhat.com> Aleksander Adamowski wrote: > Hi! > > I'm migrating from OpenLDAP to Fedora Directory. > > In the OpenLDAP infrastructure, I had used proxy LDAP servers (the > slapd-ldap backend) to direct requests to slapd-bdb backend OpenLDAP > instances with failover in case of failure. > In addition to that, using the rwm overlay, the slapd-ldap instance > did request rewriting of queries that specify empty base dn. > > The configuration for slapd-ldap instance was: > > database ldap > suffix "" > uri "ldap://localhost:392/,ldaps://otherserver:636/" > timeout 24 > idle-timeout 16 > overlay rwm > rwm-rewriteEngine on > rwm-rewriteContext searchBase > rwm-rewriteRule "$" "o=MyDefaultBase" ":" > > I've read a thread from 2006-02 on this list > (https://www.redhat.com/archives/fedora-directory-users/2006-February/msg00108.html) > that it's possible to get a similar behaviour on FDS by modifying > dse.ldif. > > I've stopped the FDS instance, modified > /etc/dirsrv/slapd-instancename/dse.ldif and started FDS again: > > dn: > objectClass: top > objectClass: extensibleObject > defaultsearchbase: o=MyDefaultBase > aci: (targetattr != "aci")(version 3.0; aci "rootdse anon read > access"; allow( > read,search,compare) userdn="ldap:///anyone";) > creatorsName: cn=server,cn=plugins,cn=config > modifiersName: cn=server,cn=plugins,cn=config > createTimestamp: 20080411165538Z > modifyTimestamp: 20080411165538Z > > However, it still doesn't return anything when clients search with > empty base: > > # /usr/lib64/mozldap/ldapsearch -b 'o=MyDefaultBase' -s sub uid=olo uid > version: 1 > dn: uid=olo,ou=People,o=MyDefaultBase > uid: olo > > # /usr/lib64/mozldap/ldapsearch -b '' -s sub uid=olo uid > ldap_search: No such object > > Maybe it's relevant that the host in question takes part in > multi-master replication setup of 3 FDS servers. > defaultSearchBase is not a server side thing. It only works if clients understand how to use it. There is no way to make Fedora DS do a subtree search from base "" unless you write a C code plugin -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From maumar at cost.it Mon Apr 14 15:38:32 2008 From: maumar at cost.it (Maurizio Marini) Date: Mon, 14 Apr 2008 17:38:32 +0200 Subject: [Fedora-directory-users] access rights to pc resources Message-ID: <200804141738.32723.maumar@cost.it> I am using FDS as PDC, In AD, they can decide which user can logon in which workstation (and his is available in NT Account fds gui admin, it's ok); but network admin can decide that a user can or cannot use an usb device, an application, and so on. How can i configure resources access profiles? tia -m From iferreir at personal.com.py Mon Apr 14 16:11:07 2008 From: iferreir at personal.com.py (Ivan Ferreira) Date: Mon, 14 Apr 2008 12:11:07 -0400 Subject: [Fedora-directory-users] LDAP Sync scripts In-Reply-To: <48036897.5040604@stroeder.com> Message-ID: There may be people that already hates me for "promiting" so much ldapadmin.exe, but with this tool, you can easily export/import an subree. Para "General discussion list for the Fedora Directory server Michael Str?der project." fedora-directory-users-b cc ounces at redhat.com Asunto 14/04/2008 10:22 a.m. Re: [Fedora-directory-users] LDAP Sync scripts Clasificaci?n Uso Interno Por favor, responda a "General discussion list for the Fedora Directory server project." DeMarco, Dennis wrote: > > I have an older LDAP server that I want to sync some subtrees to a newer > one before a switchover. Is there any tools out there that can do this > easily? I'd recommend to do a one-step migration since daily/real-time syncing is more work. First try to export the data from the old LDAP server as LDIF and import it to the new one during a test-drive. If it fails then you know how to sanitize the old data before importing it. This can be a simple LDIF import or serious tweaking of the input data. Only you can find out. Ciao, Michael. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From aleksander.adamowski.fedora at altkom.pl Mon Apr 14 17:02:41 2008 From: aleksander.adamowski.fedora at altkom.pl (Aleksander Adamowski) Date: Mon, 14 Apr 2008 19:02:41 +0200 Subject: [Fedora-directory-users] SOLVED: NSPR "Certificate type not approved for application" error when a TLS-enabled proxy LDAP OpenLDAP server connects to Fedora Directory Server In-Reply-To: <48037730.1070307@redhat.com> References: <480326E7.5060607@altkom.pl> <48037730.1070307@redhat.com> Message-ID: <48038E31.5020708@altkom.pl> Rich Megginson wrote: > Do you need to use cert based auth? If not, just configure the > application to not use cert. based auth - just use username/password > auth over SSL (or TLS). If you must use cert. based auth, you may be > able to use the certutil command to change the trust flags of the cert > - see certutil -H. See also this page for information about cert. > based auth - http://directory.fedoraproject.org/wiki/Howto:CertMapping Hmm, this has given me an idea for a solution. After switching Encryption -> Client Authentication settings of dirsrv from "Allow client authentication" to "Do not allow client authentication" I got this working. It seems that whenever certificate authentication is an allowed possibility on the FDS server side, OpenLDAP client tries using it even if it is operating inside an OpenLDAP server environment (in which case it supplies its server certificate as client's - thus the problem). This case is special since OpenLDAP server acts as an LDAP client to FDS server. I think the problem is on OpenLDAP side (it shouldn't use its server certificate for client authentication when acting as an LDAP client). >> Like, say some tweaks in nss.conf? > NSS (Netscape^H^H^H^H^Hwork Security Services) for crypto and nss > (name switch service - as in nss_ldap) are completely different and > unfortunately share the same name. Read carefully: I wasn't talking about nsswitch.conf (which is for Name Service Switch), but nss.conf (which is a config file for mod_nss which is based on Network Secirity Services library). The FDS admin server (dirsrv-admin) is based on Apache and it uses mod_nss for handling SSL connections. So inside /etc/dirsrv/admin-serv/nss.conf you can tweak SSL-related behaviour of dirsrv-admin. I thought that there might be a similar method to tweak behaviour of dirsrv (although not through nss.conf since dirsrv doesn't use mod_nss and doesn't contain a http server in any part ), like some undocumented setting in dse.ldif. However, more correct fix turned out to be disallow certificate-based client authentication. -- Best Regards, Aleksander Adamowski GG#: 274614 ICQ UIN: 19780575 http://olo.org.pl -- Aleksander Adamowski Administrator system?w korporacyjnych; Instruktor Altkom Akademia S.A. http://www.altkom.pl Warszawa, ul. Ch?odna 51 tel. brak kom. +48 601-318-080 S?d Rejonowy dla m.st. Warszawy w Warszawie, XII Wydzia? Gospodarczy Krajowego Rejestru S?dowego, KRS: 0000120139, NIP 118-00-08-391, Kapita? zak?adowy: 1000 000 PLN. Adres rejestrowy Firmy - ul. Stawki 2, 00-193 Warszawa. Niniejsza wiadomo?? zawiera informacje zastrze?one i stanowi?ce tajemnic? przedsi?biorstwa firmy Altkom Akademia S.A. Ujawnianie tych informacji osobom trzecim lub nieuprawnione wykorzystanie ich do w?asnych cel?w jest zabronione. Je?eli otrzymali?cie Pa?stwo niniejsz? wiadomo?? omy?kowo, prosimy o niezw?oczne skontaktowanie si? z nadawc? oraz usuni?cie wszelkich kopii niniejszej wiadomo?ci. This message contains proprietary information and trade secrets of Altkom Akademia S.A. company. Unauthorized use or disclosure of this information to any third party is prohibited. If you received this message by mistake, please contact the sender immediately and delete all copies of this message. From rmeggins at redhat.com Mon Apr 14 17:15:13 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 14 Apr 2008 11:15:13 -0600 Subject: [Fedora-directory-users] SOLVED: NSPR "Certificate type not approved for application" error when a TLS-enabled proxy LDAP OpenLDAP server connects to Fedora Directory Server In-Reply-To: <48038E31.5020708@altkom.pl> References: <480326E7.5060607@altkom.pl> <48037730.1070307@redhat.com> <48038E31.5020708@altkom.pl> Message-ID: <48039121.3090400@redhat.com> Aleksander Adamowski wrote: > Rich Megginson wrote: >> Do you need to use cert based auth? If not, just configure the >> application to not use cert. based auth - just use username/password >> auth over SSL (or TLS). If you must use cert. based auth, you may be >> able to use the certutil command to change the trust flags of the >> cert - see certutil -H. See also this page for information about >> cert. based auth - >> http://directory.fedoraproject.org/wiki/Howto:CertMapping > Hmm, this has given me an idea for a solution. After switching > Encryption -> Client Authentication settings of dirsrv from "Allow > client authentication" to "Do not allow client authentication" I got > this working. > > It seems that whenever certificate authentication is an allowed > possibility on the FDS server side, OpenLDAP client tries using it > even if it is operating inside an OpenLDAP server environment (in > which case it supplies its server certificate as client's - thus the > problem). > > This case is special since OpenLDAP server acts as an LDAP client to > FDS server. > I think the problem is on OpenLDAP side (it shouldn't use its server > certificate for client authentication when acting as an LDAP client). That should be fine. Fedora DS can do the same thing e.g. with server-to-server chaining and replication, using the server cert for client cert auth. It just depends on the type of cert issued and/or the trust flags on the cert. > >>> Like, say some tweaks in nss.conf? >> NSS (Netscape^H^H^H^H^Hwork Security Services) for crypto and nss >> (name switch service - as in nss_ldap) are completely different and >> unfortunately share the same name. > Read carefully: I wasn't talking about nsswitch.conf (which is for > Name Service Switch), but nss.conf (which is a config file for mod_nss > which is based on Network Secirity Services library). > > The FDS admin server (dirsrv-admin) is based on Apache and it uses > mod_nss for handling SSL connections. > So inside /etc/dirsrv/admin-serv/nss.conf you can tweak SSL-related > behaviour of dirsrv-admin. Ok. I thought we were talking about the directory server only. > > I thought that there might be a similar method to tweak behaviour of > dirsrv (although not through nss.conf since dirsrv doesn't use mod_nss > and doesn't contain a http server in any part ), like some > undocumented setting in dse.ldif. However, more correct fix turned out > to be disallow certificate-based client authentication. See the RHDS 8.0 Admin Guide, Chapter 12 - http://www.redhat.com/docs/manuals/dir-server/ag/8.0/ and http://tinyurl.com/688w9y See also the detailed information for all of the security/encryption configuration entries and attributes - http://tinyurl.com/35qddb - there is also an apparently undocumented entry cn=RSA, cn=encryption, cn=config. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From aleksander.adamowski.fedora at altkom.pl Mon Apr 14 17:40:53 2008 From: aleksander.adamowski.fedora at altkom.pl (Aleksander Adamowski) Date: Mon, 14 Apr 2008 19:40:53 +0200 Subject: [Fedora-directory-users] SOLVED: NSPR "Certificate type not approved for application" error when a TLS-enabled proxy LDAP OpenLDAP server connects to Fedora Directory Server In-Reply-To: <48039121.3090400@redhat.com> References: <480326E7.5060607@altkom.pl> <48037730.1070307@redhat.com> <48038E31.5020708@altkom.pl> <48039121.3090400@redhat.com> Message-ID: <48039725.7050002@altkom.pl> Rich Megginson wrote: > That should be fine. Fedora DS can do the same thing e.g. with > server-to-server chaining and replication, using the server cert for > client cert auth. It just depends on the type of cert issued and/or > the trust flags on the cert. If I understand correctly you're implying that server2server ssl connections are handled with the same logic that client2server ssl? Then it's strange, since I'm using multi-master replication with all s2s connections using SSL (port 636). I've generated all the certificates (for FDS servers and for OpenLDAP servers) using the same OpenSSL CA openssl.cnf config file (but a slightly different configuration section WRT subjectAltName field - see below). The relevant fields of the OpenLDAP server's certificate are: X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server ... X509v3 Subject Alternative Name: email:postmaster at MY_DOMAIN_NAME While the same fields of the FDS certificate are: X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server ... X509v3 Subject Alternative Name: DNS:servername2.MY_DOMAIN_NAME, DNS:servername3.MY_DOMAIN_NAME Other differences are only in key length, crypto algorithms and values of serial numbers, fingerprint etc. So the only one possibly relevant difference is that in OpenLDAP's cert the subjectAltName field contains an e-mail address and in Fedora Directory Server's it contains alternative DNS host names of the FDS server. Might it be the cause? > >> >> I thought that there might be a similar method to tweak behaviour of >> dirsrv (although not through nss.conf since dirsrv doesn't use >> mod_nss and doesn't contain a http server in any part ), like some >> undocumented setting in dse.ldif. However, more correct fix turned >> out to be disallow certificate-based client authentication. > See the RHDS 8.0 Admin Guide, Chapter 12 - > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/ and > http://tinyurl.com/688w9y > > See also the detailed information for all of the security/encryption > configuration entries and attributes - http://tinyurl.com/35qddb - > there is also an apparently undocumented entry cn=RSA, cn=encryption, > cn=config. Yup, I've read that but there isn't anything conclusive over there. I was counting on some undocumented configuration attribute that would control which usages are allowed in client x.509 certs. -- Best Regards, Aleksander Adamowski GG#: 274614 ICQ UIN: 19780575 http://olo.org.pl -- Aleksander Adamowski Administrator system?w korporacyjnych; Instruktor Altkom Akademia S.A. http://www.altkom.pl Warszawa, ul. Ch?odna 51 tel. brak kom. +48 601-318-080 S?d Rejonowy dla m.st. Warszawy w Warszawie, XII Wydzia? Gospodarczy Krajowego Rejestru S?dowego, KRS: 0000120139, NIP 118-00-08-391, Kapita? zak?adowy: 1000 000 PLN. Adres rejestrowy Firmy - ul. Stawki 2, 00-193 Warszawa. Niniejsza wiadomo?? zawiera informacje zastrze?one i stanowi?ce tajemnic? przedsi?biorstwa firmy Altkom Akademia S.A. Ujawnianie tych informacji osobom trzecim lub nieuprawnione wykorzystanie ich do w?asnych cel?w jest zabronione. Je?eli otrzymali?cie Pa?stwo niniejsz? wiadomo?? omy?kowo, prosimy o niezw?oczne skontaktowanie si? z nadawc? oraz usuni?cie wszelkich kopii niniejszej wiadomo?ci. This message contains proprietary information and trade secrets of Altkom Akademia S.A. company. Unauthorized use or disclosure of this information to any third party is prohibited. If you received this message by mistake, please contact the sender immediately and delete all copies of this message. From rmeggins at redhat.com Mon Apr 14 18:08:03 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 14 Apr 2008 12:08:03 -0600 Subject: [Fedora-directory-users] SOLVED: NSPR "Certificate type not approved for application" error when a TLS-enabled proxy LDAP OpenLDAP server connects to Fedora Directory Server In-Reply-To: <48039725.7050002@altkom.pl> References: <480326E7.5060607@altkom.pl> <48037730.1070307@redhat.com> <48038E31.5020708@altkom.pl> <48039121.3090400@redhat.com> <48039725.7050002@altkom.pl> Message-ID: <48039D83.9090006@redhat.com> Aleksander Adamowski wrote: > Rich Megginson wrote: >> That should be fine. Fedora DS can do the same thing e.g. with >> server-to-server chaining and replication, using the server cert for >> client cert auth. It just depends on the type of cert issued and/or >> the trust flags on the cert. > If I understand correctly you're implying that server2server ssl > connections are handled with the same logic that client2server ssl? What I meant was that the server handles any client cert based auth the same way, regardless of whether the "client" is a user or another server. > > Then it's strange, since I'm using multi-master replication with all > s2s connections using SSL (port 636). I've generated all the > certificates (for FDS servers and for OpenLDAP servers) using the same > OpenSSL CA openssl.cnf config file (but a slightly different > configuration section WRT subjectAltName field - see below). > > The relevant fields of the OpenLDAP server's certificate are: > > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > Netscape Cert Type: > SSL Server > ... > X509v3 Subject Alternative Name: > email:postmaster at MY_DOMAIN_NAME > > While the same fields of the FDS certificate are: > > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > Netscape Cert Type: > SSL Server > ... > X509v3 Subject Alternative Name: > DNS:servername2.MY_DOMAIN_NAME, > DNS:servername3.MY_DOMAIN_NAME > > Other differences are only in key length, crypto algorithms and values > of serial numbers, fingerprint etc. > > So the only one possibly relevant difference is that in OpenLDAP's > cert the subjectAltName field contains an e-mail address and in Fedora > Directory Server's it contains alternative DNS host names of the FDS > server. Might it be the cause? I'm not sure how NSS handles certificate verification with subjectAltName. I know that in order for the validation to work without subjectAltName, the leftmost RDN in the subjectDN must be cn=FQDN of the server e.g. cn=ldap1.example.com, ou=Fedora Directory Server, dc=example, dc=com I'm also not sure if that applies to cert based auth. >> >>> >>> I thought that there might be a similar method to tweak behaviour of >>> dirsrv (although not through nss.conf since dirsrv doesn't use >>> mod_nss and doesn't contain a http server in any part ), like some >>> undocumented setting in dse.ldif. However, more correct fix turned >>> out to be disallow certificate-based client authentication. >> See the RHDS 8.0 Admin Guide, Chapter 12 - >> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/ and >> http://tinyurl.com/688w9y >> >> See also the detailed information for all of the security/encryption >> configuration entries and attributes - http://tinyurl.com/35qddb - >> there is also an apparently undocumented entry cn=RSA, cn=encryption, >> cn=config. > Yup, I've read that but there isn't anything conclusive over there. I > was counting on some undocumented configuration attribute that would > control which usages are allowed in client x.509 certs. > Ok. I'm not sure what NSS is complaining about here. If NSS is complaining about the hostname in the subjectDN or the subjectAltName doesn't match the actual server, I don't think that makes sense in the context of cert based auth, since a client will usually not have an associated FQDN. So I believe it's complaining that the cert was not issued as an SSL client cert. I do know that you can issue a cert that can be used for both SSL server and SSL client use. I'm not sure if you can use certutil -M to modify the trust flags of a server cert after issuance to allow it to be used for SSL client use. The guys at news.mozilla.org:mozilla.dev.tech.crypto would know for sure. Finally, there doesn't appear to be a way in Fedora DS to allow other types of certificates to be used for client cert auth, or to ignore problems of this nature. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From michael at stroeder.com Mon Apr 14 21:57:15 2008 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Mon, 14 Apr 2008 23:57:15 +0200 Subject: [Fedora-directory-users] SOLVED: NSPR "Certificate type not approved for application" error when a TLS-enabled proxy LDAP OpenLDAP server connects to Fedora Directory Server In-Reply-To: <48039725.7050002@altkom.pl> References: <480326E7.5060607@altkom.pl> <48037730.1070307@redhat.com> <48038E31.5020708@altkom.pl> <48039121.3090400@redhat.com> <48039725.7050002@altkom.pl> Message-ID: <4803D33B.40909@stroeder.com> Aleksander Adamowski wrote: > > The relevant fields of the OpenLDAP server's certificate are: What about the keyUsage and extendedKeyUsage extensions? Ciao, Michael. From michael at stroeder.com Mon Apr 14 21:58:47 2008 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Mon, 14 Apr 2008 23:58:47 +0200 Subject: [Fedora-directory-users] SOLVED: NSPR "Certificate type not approved for application" error when a TLS-enabled proxy LDAP OpenLDAP server connects to Fedora Directory Server In-Reply-To: <48039D83.9090006@redhat.com> References: <480326E7.5060607@altkom.pl> <48037730.1070307@redhat.com> <48038E31.5020708@altkom.pl> <48039121.3090400@redhat.com> <48039725.7050002@altkom.pl> <48039D83.9090006@redhat.com> Message-ID: <4803D397.9050704@stroeder.com> Rich Megginson wrote: > I'm not sure how NSS handles certificate verification with > subjectAltName. I know that in order for the validation to work without > subjectAltName, the leftmost RDN in the subjectDN must be cn=FQDN of the > server e.g. cn=ldap1.example.com, ou=Fedora Directory Server, > dc=example, dc=com Yes, for server certs which are validated by the client. > I'm also not sure if that applies to cert based auth. It doesn't. Ciao, Michael. From michael at stroeder.com Mon Apr 14 22:02:59 2008 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Tue, 15 Apr 2008 00:02:59 +0200 Subject: [Fedora-directory-users] SOLVED: NSPR "Certificate type not approved for application" error when a TLS-enabled proxy LDAP OpenLDAP server connects to Fedora Directory Server In-Reply-To: <48038E31.5020708@altkom.pl> References: <480326E7.5060607@altkom.pl> <48037730.1070307@redhat.com> <48038E31.5020708@altkom.pl> Message-ID: <4803D493.5040603@stroeder.com> Aleksander Adamowski wrote: > It seems that whenever certificate authentication is an allowed > possibility on the FDS server side, OpenLDAP client tries using it even > if it is operating inside an OpenLDAP server environment (in which case > it supplies its server certificate as client's - thus the problem). OpenLDAP client lib supplies the client cert which was configured for back-ldap. Check OpenLDAP's ldap.conf or slapd.conf and the relevant man-pages. > I think the problem is on OpenLDAP side (it shouldn't use its server > certificate for client authentication when acting as an LDAP client). I think the problem is with your particular configuration and the certs you're using. Ciao, Michael. From aleksander.adamowski.fedora at altkom.pl Tue Apr 15 11:41:08 2008 From: aleksander.adamowski.fedora at altkom.pl (Aleksander Adamowski) Date: Tue, 15 Apr 2008 13:41:08 +0200 Subject: [Fedora-directory-users] SOLVED: NSPR "Certificate type not approved for application" error when a TLS-enabled proxy LDAP OpenLDAP server connects to Fedora Directory Server In-Reply-To: <4803D33B.40909@stroeder.com> References: <480326E7.5060607@altkom.pl> <48037730.1070307@redhat.com> <48038E31.5020708@altkom.pl> <48039121.3090400@redhat.com> <48039725.7050002@altkom.pl> <4803D33B.40909@stroeder.com> Message-ID: <48049454.5030403@altkom.pl> Michael Str?der wrote: > Aleksander Adamowski wrote: >> >> The relevant fields of the OpenLDAP server's certificate are: > > What about the keyUsage and extendedKeyUsage extensions? > > Ciao, Michael. These aren't present, unfortunately. I didn't place keyUsage in the openssl.cnf section used for server certificates... -- Best Regards, Aleksander Adamowski GG#: 274614 ICQ UIN: 19780575 http://olo.org.pl -- Aleksander Adamowski Administrator system?w korporacyjnych; Instruktor Altkom Akademia S.A. http://www.altkom.pl Warszawa, ul. Ch?odna 51 tel. brak kom. +48 601-318-080 S?d Rejonowy dla m.st. Warszawy w Warszawie, XII Wydzia? Gospodarczy Krajowego Rejestru S?dowego, KRS: 0000120139, NIP 118-00-08-391, Kapita? zak?adowy: 1000 000 PLN. Adres rejestrowy Firmy - ul. Stawki 2, 00-193 Warszawa. Niniejsza wiadomo?? zawiera informacje zastrze?one i stanowi?ce tajemnic? przedsi?biorstwa firmy Altkom Akademia S.A. Ujawnianie tych informacji osobom trzecim lub nieuprawnione wykorzystanie ich do w?asnych cel?w jest zabronione. Je?eli otrzymali?cie Pa?stwo niniejsz? wiadomo?? omy?kowo, prosimy o niezw?oczne skontaktowanie si? z nadawc? oraz usuni?cie wszelkich kopii niniejszej wiadomo?ci. This message contains proprietary information and trade secrets of Altkom Akademia S.A. company. Unauthorized use or disclosure of this information to any third party is prohibited. If you received this message by mistake, please contact the sender immediately and delete all copies of this message. From aleksander.adamowski.fedora at altkom.pl Tue Apr 15 11:50:40 2008 From: aleksander.adamowski.fedora at altkom.pl (Aleksander Adamowski) Date: Tue, 15 Apr 2008 13:50:40 +0200 Subject: [Fedora-directory-users] SOLVED: NSPR "Certificate type not approved for application" error when a TLS-enabled proxy LDAP OpenLDAP server connects to Fedora Directory Server In-Reply-To: <4803D493.5040603@stroeder.com> References: <480326E7.5060607@altkom.pl> <48037730.1070307@redhat.com> <48038E31.5020708@altkom.pl> <4803D493.5040603@stroeder.com> Message-ID: <48049690.9050302@altkom.pl> Michael Str?der wrote: > Aleksander Adamowski wrote: >> It seems that whenever certificate authentication is an allowed >> possibility on the FDS server side, OpenLDAP client tries using it >> even if it is operating inside an OpenLDAP server environment (in >> which case it supplies its server certificate as client's - thus the >> problem). > > OpenLDAP client lib supplies the client cert which was configured for > back-ldap. Check OpenLDAP's ldap.conf or slapd.conf and the relevant > man-pages. \ The point is that there's _no_ client cert, I don't intend to have mutual authentication here - I'd like slapd-ldap _not_ authenticate itself with a certificate. I'd like it to behave like an ordinary certificate-less client. But it chooses to use its server certificate to authenticate itself as a client to FDS server. I don't see any options to force _no client authentication_ - neither in slapd-ldap(5), nor slapd.conf(5), nor ldap.conf(5). I'm using OpenLDAP 2.3.39. -- Best Regards, Aleksander Adamowski GG#: 274614 ICQ UIN: 19780575 http://olo.org.pl -- Aleksander Adamowski Administrator system?w korporacyjnych; Instruktor Altkom Akademia S.A. http://www.altkom.pl Warszawa, ul. Ch?odna 51 tel. brak kom. +48 601-318-080 S?d Rejonowy dla m.st. Warszawy w Warszawie, XII Wydzia? Gospodarczy Krajowego Rejestru S?dowego, KRS: 0000120139, NIP 118-00-08-391, Kapita? zak?adowy: 1000 000 PLN. Adres rejestrowy Firmy - ul. Stawki 2, 00-193 Warszawa. Niniejsza wiadomo?? zawiera informacje zastrze?one i stanowi?ce tajemnic? przedsi?biorstwa firmy Altkom Akademia S.A. Ujawnianie tych informacji osobom trzecim lub nieuprawnione wykorzystanie ich do w?asnych cel?w jest zabronione. Je?eli otrzymali?cie Pa?stwo niniejsz? wiadomo?? omy?kowo, prosimy o niezw?oczne skontaktowanie si? z nadawc? oraz usuni?cie wszelkich kopii niniejszej wiadomo?ci. This message contains proprietary information and trade secrets of Altkom Akademia S.A. company. Unauthorized use or disclosure of this information to any third party is prohibited. If you received this message by mistake, please contact the sender immediately and delete all copies of this message. From jheenan at fairfaxmedia.com.au Tue Apr 15 03:44:26 2008 From: jheenan at fairfaxmedia.com.au (Joel Heenan) Date: Tue, 15 Apr 2008 13:44:26 +1000 Subject: [Fedora-directory-users] pam_ldap support dynamic groups Message-ID: <8BED0ADCE0100241A8DD768706A2295CD92AA0@EXCHDP3.ffx.jfh.com.au> Fedora Directory Users, Very quick question I hope - does pam_ldap support dynamic groups? I couldn't find anything in google and my tests say no. Thanks Joel The information contained in this e-mail message and any accompanying files is or may be confidential. If you are not the intended recipient, any use, dissemination, reliance, forwarding, printing or copying of this e-mail or any attached files is unauthorised. This e-mail is subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If you have received this e-mail in error please advise the sender immediately by return e-mail or telephone and delete all copies. Fairfax does not guarantee the accuracy or completeness of any information contained in this e-mail or attached files. Internet communications are not secure, therefore Fairfax does not accept legal responsibility for the contents of this message or attached files. -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Tue Apr 15 15:39:28 2008 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Tue, 15 Apr 2008 17:39:28 +0200 Subject: [Fedora-directory-users] SOLVED: NSPR "Certificate type not approved for application" error when a TLS-enabled proxy LDAP OpenLDAP server connects to Fedora Directory Server In-Reply-To: <48049454.5030403@altkom.pl> References: <480326E7.5060607@altkom.pl> <48037730.1070307@redhat.com> <48038E31.5020708@altkom.pl> <48039121.3090400@redhat.com> <48039725.7050002@altkom.pl> <4803D33B.40909@stroeder.com> <48049454.5030403@altkom.pl> Message-ID: <4804CC30.5050606@stroeder.com> Aleksander Adamowski wrote: > Michael Str?der wrote: >> Aleksander Adamowski wrote: >>> >>> The relevant fields of the OpenLDAP server's certificate are: >> >> What about the keyUsage and extendedKeyUsage extensions? >> > These aren't present, unfortunately. IIRC they have to be defined. Example lines for openssl.cnf: keyUsage = digitalSignature,keyEncipherment extendedKeyUsage = serverAuth Ciao, Michael. From cruz at senai-sc.ind.br Tue Apr 15 23:46:46 2008 From: cruz at senai-sc.ind.br (Daniel Cristian Cruz) Date: Tue, 15 Apr 2008 20:46:46 -0300 Subject: [Fedora-directory-users] Removing a Smart Referral Message-ID: <1208303206.24241.19.camel@localhost> Hi All, Is there any way to remove a smart referral? We had some users which are in a replicated tree, and we need to use it on our own tree. I can't find any way to remove the reference, without removing the user in the replicated tree. Example: o=My Org ou=Unit 1 uid=Replicated Account (consumer suffix) ou=Unit 2 uid=My Account uid=Replicated Account (Smart Referral to "uid=Replicated Account,ou=Unit 1,o=My Org") Any help? -- Daniel Cristian Cruz Analista de Sistemas - Administrador de Banco de Dados SENAI/SC - Servico Nacional de Aprendizagem Industrial NTI - N?cleo de Tecnologia da Informa??o Fone: (48) 3239-1422 From gholbert at broadcom.com Wed Apr 16 00:34:45 2008 From: gholbert at broadcom.com (George Holbert) Date: Tue, 15 Apr 2008 17:34:45 -0700 Subject: [Fedora-directory-users] Removing a Smart Referral In-Reply-To: <1208303206.24241.19.camel@localhost> References: <1208303206.24241.19.camel@localhost> Message-ID: <480549A5.3000705@broadcom.com> With a Fedora/Mozilla-based ldapsearch, you can get the DN of your referral objects like: ldapsearch -h -M -R -b "ou=Unit 2,o=My Org" "objectclass=referral" Once you have the DN of the referral, you can remove it just like you would any other entry. Example LDIF: dn: ,ou=Unit 2,o=My Org changeType: delete - -- George Daniel Cristian Cruz wrote: > Hi All, > > Is there any way to remove a smart referral? > > We had some users which are in a replicated tree, and we need to use it > on our own tree. I can't find any way to remove the reference, without > removing the user in the replicated tree. > > Example: > > o=My Org > ou=Unit 1 > uid=Replicated Account (consumer suffix) > ou=Unit 2 > uid=My Account > uid=Replicated Account (Smart Referral to "uid=Replicated Account,ou=Unit 1,o=My Org") > > Any help? > From cruz at senai-sc.ind.br Wed Apr 16 00:52:17 2008 From: cruz at senai-sc.ind.br (Daniel Cristian Cruz) Date: Tue, 15 Apr 2008 21:52:17 -0300 Subject: [Fedora-directory-users] Removing a Smart Referral In-Reply-To: <480549A5.3000705@broadcom.com> References: <1208303206.24241.19.camel@localhost> <480549A5.3000705@broadcom.com> Message-ID: <1208307137.24241.27.camel@localhost> Hummmm... Is there any way to do that with PHP or Python? Didn't found any -M option in these languages... On Ter, 2008-04-15 at 17:34 -0700, George Holbert wrote: > With a Fedora/Mozilla-based ldapsearch, you can get the DN of your > referral objects like: > > ldapsearch -h -M -R -b "ou=Unit 2,o=My Org" "objectclass=referral" > > Once you have the DN of the referral, you can remove it just like you would any other entry. > Example LDIF: > > dn: ,ou=Unit 2,o=My Org > changeType: delete > - > > > -- George > > > > Daniel Cristian Cruz wrote: > > Hi All, > > > > Is there any way to remove a smart referral? > > > > We had some users which are in a replicated tree, and we need to use it > > on our own tree. I can't find any way to remove the reference, without > > removing the user in the replicated tree. > > > > Example: > > > > o=My Org > > ou=Unit 1 > > uid=Replicated Account (consumer suffix) > > ou=Unit 2 > > uid=My Account > > uid=Replicated Account (Smart Referral to "uid=Replicated Account,ou=Unit 1,o=My Org") > > > > Any help? > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Daniel Cristian Cruz Analista de Sistemas - Administrador de Banco de Dados SENAI/SC - Servico Nacional de Aprendizagem Industrial NTI - N?cleo de Tecnologia da Informa??o Fone: (48) 3239-1422 From gholbert at broadcom.com Wed Apr 16 00:57:11 2008 From: gholbert at broadcom.com (George Holbert) Date: Tue, 15 Apr 2008 17:57:11 -0700 Subject: [Fedora-directory-users] Removing a Smart Referral In-Reply-To: <1208307137.24241.27.camel@localhost> References: <1208303206.24241.19.camel@localhost> <480549A5.3000705@broadcom.com> <1208307137.24241.27.camel@localhost> Message-ID: <48054EE7.8070005@broadcom.com> > > Is there any way to do that with PHP or Python? There probably is. I don't know off the top of my head though. Good luck! -- George Daniel Cristian Cruz wrote: > Hummmm... > > Is there any way to do that with PHP or Python? > > Didn't found any -M option in these languages... > > On Ter, 2008-04-15 at 17:34 -0700, George Holbert wrote: > >> With a Fedora/Mozilla-based ldapsearch, you can get the DN of your >> referral objects like: >> >> ldapsearch -h -M -R -b "ou=Unit 2,o=My Org" "objectclass=referral" >> >> Once you have the DN of the referral, you can remove it just like you would any other entry. >> Example LDIF: >> >> dn: ,ou=Unit 2,o=My Org >> changeType: delete >> - >> >> >> -- George >> >> >> >> Daniel Cristian Cruz wrote: >> >>> Hi All, >>> >>> Is there any way to remove a smart referral? >>> >>> We had some users which are in a replicated tree, and we need to use it >>> on our own tree. I can't find any way to remove the reference, without >>> removing the user in the replicated tree. >>> >>> Example: >>> >>> o=My Org >>> ou=Unit 1 >>> uid=Replicated Account (consumer suffix) >>> ou=Unit 2 >>> uid=My Account >>> uid=Replicated Account (Smart Referral to "uid=Replicated Account,ou=Unit 1,o=My Org") >>> >>> Any help? >>> >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> From apujana at gmail.com Wed Apr 16 09:52:22 2008 From: apujana at gmail.com (Axel Pujana) Date: Wed, 16 Apr 2008 11:52:22 +0200 Subject: [Fedora-directory-users] access rights to pc resources In-Reply-To: <200804141738.32723.maumar@cost.it> References: <200804141738.32723.maumar@cost.it> Message-ID: On Mon, Apr 14, 2008 at 5:38 PM, Maurizio Marini wrote: > I am using FDS as PDC, > In AD, they can decide which user can logon in which workstation (and his > is > available in NT Account fds gui admin, it's ok); but network admin can > decide > that a user can or cannot use an usb device, an application, and so on. > > How can i configure resources access profiles? > tia > -m > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Wed Apr 16 12:05:46 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 16 Apr 2008 14:05:46 +0200 Subject: [Fedora-directory-users] Removing a Smart Referral In-Reply-To: <1208307137.24241.27.camel@localhost> References: <1208303206.24241.19.camel@localhost> <480549A5.3000705@broadcom.com> <1208307137.24241.27.camel@localhost> Message-ID: <4805EB9A.3060108@stroeder.com> Daniel Cristian Cruz wrote: > > Is there any way to do that with PHP or Python? Yes, with Python. > Didn't found any -M option in these languages... If -M is sending the Manage DSA IT control and what is called "Smart Referral" are simply referral entries then use this: http://python-ldap.sourceforge.net/doc/html/ldap.html#ldap.LDAPObject.manage_dsa_it You can do this interactively with web2ldap: Choose [ConnInfo] -> Set Manage DSA IT to "enabled". It uses the python-ldap method above. Ciao, Michael. From valery.fauconnier at atosorigin.com Wed Apr 16 12:25:42 2008 From: valery.fauconnier at atosorigin.com (FAUCONNIER Valery AWL-IT) Date: Wed, 16 Apr 2008 14:25:42 +0200 Subject: [Fedora-directory-users] access rights to pc resources In-Reply-To: Message-ID: <8B50AA62C37CB448A36B5076F9AB0E380122F2CF@eri.winad.be> to restrict login on a specific workstation, you can use attribute pam_groupdn in /etc/ldap.conf -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Axel Pujana Sent: Wednesday 16 April 2008 11:52 To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] access rights to pc resources On Mon, Apr 14, 2008 at 5:38 PM, Maurizio Marini < maumar at cost.it> wrote: I am using FDS as PDC, In AD, they can decide which user can logon in which workstation (and his is available in NT Account fds gui admin, it's ok); but network admin can decide that a user can or cannot use an usb device, an application, and so on. How can i configure resources access profiles? tia -m -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users Atos Worldline SA/NV - Chaussee de Haecht 1442 Haachtsesteenweg - 1130 Brussels - Belgium RPM-RPR Bruxelles-Brussel - TVA-BTW BE 0418.547.872 Bankrekening-Compte Bancaire-Bank Account 310-0269424-44 BIC BBRUBEBB - IBAN BE55 3100 2694 2444 "The information contained in this e-mail and any attachment thereto is confidential and may contain information which is protected by intellectual property rights. This information is intended for the exclusive use of the recipient(s) named above. This e-mail does not constitute any binding relationship or offer toward any of the addressees. If you are not one of the addressees , one of their employees or a proxy holder entitled to hand over this message to the addressee(s), any use of the information contained herein (e.g. reproduction, divulgation, communication or distribution,...) is prohibited. If you have received this message in error, please notify the sender and destroy it immediately after. The integrity and security of this message cannot be guaranteed and it may be subject to data corruption, interception and unauthorized amendment, for which we accept no liability." -------------- next part -------------- An HTML attachment was scrubbed... URL: From ando at sys-net.it Wed Apr 16 13:58:25 2008 From: ando at sys-net.it (Pierangelo Masarati) Date: Wed, 16 Apr 2008 15:58:25 +0200 Subject: [Fedora-directory-users] Removing a Smart Referral In-Reply-To: <1208307137.24241.27.camel@localhost> References: <1208303206.24241.19.camel@localhost> <480549A5.3000705@broadcom.com> <1208307137.24241.27.camel@localhost> Message-ID: <48060601.9000700@sys-net.it> Daniel Cristian Cruz wrote: > Hummmm... > > Is there any way to do that with PHP or Python? > > Didn't found any -M option in these languages... Not familiar with Python, but surely it allows to use controls. Unfortunately to use PHP you'll need my patch: I suggest you don't waste your time asking PHP developers to consider it for inclusion. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati at sys-net.it --------------------------------------- From bkosick at mxlogic.com Wed Apr 16 18:35:57 2008 From: bkosick at mxlogic.com (Brian Kosick) Date: Wed, 16 Apr 2008 12:35:57 -0600 Subject: [Fedora-directory-users] Where to go to find more information on using FDS's builtin mail schema... Message-ID: <1208370957.4662.8.camel@mxlrmt-190.corp.mxlogic.com> Hi All, I'm trying to find out more information on using FDS's builtin Mail schema's mentioned in http://directory.fedoraproject.org/wiki/Howto:Postfix It appears to be mailgroup from 50ns-mail.ldif I'm in a QA Dept, and I'm trying to accomplish a setup where I have a large number of virtual domains, virtual users as well as aliases to to both virtual users and actual users.. I can add the mailgroup object type to a user but then get to mgrpDeliverTo attribute. I've also tried MailRecipient and nsmessagingserveruser (Which I think is from a different schema) but can't figure out the mgrpDeliverTo attribute for this schema. I've searched google extensively for information on how to do this and have found it lacking... can someone please point me in the right direction? RFC's, manuals, howto's etc etc etc. I'd greatly appreciate it. Thanks, Brian Kosick -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From murthy at barc.gov.in Thu Apr 17 05:46:22 2008 From: murthy at barc.gov.in (C.S.R.C.Murthy) Date: Thu, 17 Apr 2008 11:16:22 +0530 Subject: [Fedora-directory-users] aci with group dn and self read Message-ID: <4806E42E.4050204@barc.gov.in> Hello, I need an aci such that when a user of a group binds, he will be able to see only his attribute but not others. I tried the following but it gives syntax error. Please suggest (target = "ldap:///self") (targetattr = "*") (version = 3.0; acl "test acl"; allow (read,search) (groupdn = "ldap:///cn=internet,ou=groups,dc=example,dc=com") ; ) -thanks murthy From rlarson at usgs.gov Thu Apr 17 17:18:00 2008 From: rlarson at usgs.gov (Richard Larson) Date: Thu, 17 Apr 2008 12:18:00 -0500 Subject: [Fedora-directory-users] could not open admin-serv-XXX-cert8.db Message-ID: All; Apologize if this has been answered and I could not find it. Setting up a new install of Fedora DS 1.0.4 to use SSL. Followed the Howto:SSL on the site and the original written by Ashley Chew; everything goes fine until it comes to initializing the admin-serv cert8 and key dbs prior to importing the certs. Directory server works fine but everytime I try to manage the admin serv certificates, I get the error: Could not open admin...cert8.db Checked file permissions. Alias folder is owned by nobody/nobody and admin server is running as root. I even chmod the alias folder just to make sure. Is there a flag I need to change to get the admin server to build the initial db or maybe it's not necessary? Thanks in advance Rich Rich Larson Systems Engineer Stinger Ghaffarian Technologies (SGT) Contractor to the USGS Earth Resources Observation and Science 47914 252nd Street, Sioux Falls, SD 57198 605.594.2795 (Phone) 605.594.6940 (Fax) E-mail: rlarson at usgs.gov It is apparent that no lifetime is long enough in which to explore the resources of a few square yards of ground. - Alice M. Coats NOTICE: This email may contain confidential, proprietary, or competition sensitive bid or proposal procurement information. Unauthorized disclosure of this information may carry criminal penalties as set forth in the Procurement Integrity Act, 41 U.S.C. 423, as amended. Further, the unauthorized disclosure of certain commercial information by civil servants may result in fines or imprisonment under the Trade Secrets Act (18 U.S.C. 1905). If you have received this information in error, please delete it, including all copies, and notify the sender of the error immediately. -------------- next part -------------- An HTML attachment was scrubbed... URL: From iferreir at personal.com.py Thu Apr 17 17:30:34 2008 From: iferreir at personal.com.py (Ivan Ferreira) Date: Thu, 17 Apr 2008 13:30:34 -0400 Subject: [Fedora-directory-users] aci with group dn and self read In-Reply-To: <4806E42E.4050204@barc.gov.in> Message-ID: I think that you cannot use ldap:///self as target, and second, I don't understand the relation between the group membership and "self" attribute reading. If you use target = * a allow (read,search) and userdn=ldap:///self you would have the desired result. I mean, is supposed that every user should be able to read its own attributes. If you still need to do something like group and self attributes, probably you need a targetfilter instead of target. Para fedora-directory-users at redhat.co m "C.S.R.C.Murthy" cc Enviado por: Asunto fedora-directory-users-b [Fedora-directory-users] aci ounces at redhat.com with group dn and self read Clasificaci?n 17/04/2008 01:46 a.m. Uso Interno Por favor, responda a "General discussion list for the Fedora Directory server project." Hello, I need an aci such that when a user of a group binds, he will be able to see only his attribute but not others. I tried the following but it gives syntax error. Please suggest (target = "ldap:///self") (targetattr = "*") (version = 3.0; acl "test acl"; allow (read,search) (groupdn = "ldap:///cn=internet,ou=groups,dc=example,dc=com") ; ) -thanks murthy -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From beyonddc.storage at gmail.com Thu Apr 17 18:01:19 2008 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Thu, 17 Apr 2008 14:01:19 -0400 Subject: [Fedora-directory-users] Question on hierarchy tree deletion Message-ID: <20e4c38c0804171101x53fe8e4chc97178bcf4237617@mail.gmail.com> Hi group, I've a question about deleting the hierarchy tree using the Fedora DS provided command line utilities (e.g. ldapdelete, ldapsearch, ldapmodify and etc). Originally, I'm using the "ldapdelete" command from the openldapclient package with the "-r" flag to do recursive delete on the hierarchy tree, but I want to know if there's anyway I can achieve the same effect by using command line utilities from the Fedora DS package. My original thought is to use ldapsearch, set it to return only the "dn" attribute and sorted by "createtimestamp" attribute. Then use the returned result and run the ldapdelete command. Assuming a child entry must have a later "createtimestamp" then parent entry. However, the result returned back from ldapsearch is in ascending order of the "createtimestamp" attribute. Is there a way to tell the ldapsearch command to sort returned result in descending order? or Is there a more efficient way to delete a hierarchy tree through command line? Thanks! David -------------- next part -------------- An HTML attachment was scrubbed... URL: From beyonddc.storage at gmail.com Thu Apr 17 18:32:31 2008 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Thu, 17 Apr 2008 14:32:31 -0400 Subject: [Fedora-directory-users] Question on hierarchy tree deletion In-Reply-To: <20e4c38c0804171101x53fe8e4chc97178bcf4237617@mail.gmail.com> References: <20e4c38c0804171101x53fe8e4chc97178bcf4237617@mail.gmail.com> Message-ID: <20e4c38c0804171132q10ba9015ibfb78da3830ade2d@mail.gmail.com> Hi group, I figured out how to sort in descending order using ldapsearch. By default, it will always sort in ascending order. If I need to sort in descending then I need to add a "-" prefix before my attribute name. (e.g. -S -createtimestamp). In addition, I can only get the descending search work only if I specify the sorting to be done by the server by passing the "-x" flag. I still have the question about what is the best way to delete a hierarchy tree using command line utility provided by Fedora-DS package. My current plan is to do a ldapsearch with subtree scope and sort the createtimestamp attribute in descending order. Then take the output and run it with ldapdelete. Thanks! David On Thu, Apr 17, 2008 at 2:01 PM, Chun Tat David Chu < beyonddc.storage at gmail.com> wrote: > Hi group, > > I've a question about deleting the hierarchy tree using the Fedora DS > provided command line utilities (e.g. ldapdelete, ldapsearch, ldapmodify and > etc). > > Originally, I'm using the "ldapdelete" command from the openldapclient > package with the "-r" flag to do recursive delete on the hierarchy tree, but > I want to know if there's anyway I can achieve the same effect by using > command line utilities from the Fedora DS package. > > My original thought is to use ldapsearch, set it to return only the "dn" > attribute and sorted by "createtimestamp" attribute. Then use the returned > result and run the ldapdelete command. Assuming a child entry must have a > later "createtimestamp" then parent entry. However, the result returned > back from ldapsearch is in ascending order of the "createtimestamp" > attribute. > > Is there a way to tell the ldapsearch command to sort returned result in > descending order? or > Is there a more efficient way to delete a hierarchy tree through command > line? > > Thanks! > > David > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ecjbosu at aol.com Thu Apr 17 21:57:57 2008 From: ecjbosu at aol.com (Joe W. Byers) Date: Thu, 17 Apr 2008 16:57:57 -0500 Subject: [Fedora-directory-users] FDS logins after reboot Message-ID: <1208469477.5978.0.camel@FSEAL-LT.localdomain> I have FDS install on a EL 5 server. I also have a Fedora 6 desktop and a Fedora 8 laptop. I can reboot the F6 desktop and enter any of my users set up in FDS on the EL5 server and login with all their correct information. ( I use NFS to mount the home dirs). This is good. The F8 laptop is a different story. After a reboot, I have to login as root and switch desktops to be able to see the FDS users. The initial startup of gdm has slowed down tremendously. I can log in as root and to a ldapsearch and see my FDS and all info. If I log off root, FDS seems to go away. I can only log in as root or the one user I have set up on the laptop. Again, I log in as root, then I can log in as a user in FDS. Any thoughts? Thank you all for you help. Joe From joona.hartman at gmail.com Fri Apr 18 10:41:55 2008 From: joona.hartman at gmail.com (J. Hartman) Date: Fri, 18 Apr 2008 13:41:55 +0300 Subject: [Fedora-directory-users] Question on hierarchy tree deletion In-Reply-To: <20e4c38c0804171132q10ba9015ibfb78da3830ade2d@mail.gmail.com> References: <20e4c38c0804171101x53fe8e4chc97178bcf4237617@mail.gmail.com> <20e4c38c0804171132q10ba9015ibfb78da3830ade2d@mail.gmail.com> Message-ID: Hi, I've done subtree deletion sometimes by sorting based on DN length. Delete longest DNs first and it's certain that they are the leafs. The whole thing can be done in a one-liner. -Joona On Thu, Apr 17, 2008 at 9:32 PM, Chun Tat David Chu < beyonddc.storage at gmail.com> wrote: > Hi group, > > I figured out how to sort in descending order using ldapsearch. > > By default, it will always sort in ascending order. If I need to sort in > descending then I need to add a "-" prefix before my attribute name. (e.g. > -S -createtimestamp). > > In addition, I can only get the descending search work only if I specify > the sorting to be done by the server by passing the "-x" flag. > > I still have the question about what is the best way to delete a hierarchy > tree using command line utility provided by Fedora-DS package. > > My current plan is to do a ldapsearch with subtree scope and sort the > createtimestamp attribute in descending order. Then take the output and run > it with ldapdelete. > > Thanks! > > David > > > On Thu, Apr 17, 2008 at 2:01 PM, Chun Tat David Chu < > beyonddc.storage at gmail.com> wrote: > > > Hi group, > > > > I've a question about deleting the hierarchy tree using the Fedora DS > > provided command line utilities (e.g. ldapdelete, ldapsearch, ldapmodify and > > etc). > > > > Originally, I'm using the "ldapdelete" command from the openldapclient > > package with the "-r" flag to do recursive delete on the hierarchy tree, but > > I want to know if there's anyway I can achieve the same effect by using > > command line utilities from the Fedora DS package. > > > > My original thought is to use ldapsearch, set it to return only the "dn" > > attribute and sorted by "createtimestamp" attribute. Then use the returned > > result and run the ldapdelete command. Assuming a child entry must have a > > later "createtimestamp" then parent entry. However, the result returned > > back from ldapsearch is in ascending order of the "createtimestamp" > > attribute. > > > > Is there a way to tell the ldapsearch command to sort returned result in > > descending order? or > > Is there a more efficient way to delete a hierarchy tree through command > > line? > > > > Thanks! > > > > David > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Fri Apr 18 10:52:25 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 18 Apr 2008 12:52:25 +0200 Subject: [Fedora-directory-users] Question on hierarchy tree deletion In-Reply-To: <20e4c38c0804171101x53fe8e4chc97178bcf4237617@mail.gmail.com> References: <20e4c38c0804171101x53fe8e4chc97178bcf4237617@mail.gmail.com> Message-ID: <48087D69.7000700@stroeder.com> HI! In web2ldap I've implemented in Python the recursive tree deletion also based on various operational attributes like hasSubordinates, numSubordinates etc. It also catches the exception ldap.NOT_ALLOWED_ON_NONLEAF and starts a new search then. Also exceptions ldap.SIZELIMIT_EXCEEDED and ldap.ADMINLIMIT_EXCEEDED are gracefully handled for large result sets hitting a server-side limit. I'm not sure whether it's really "optimal" but I think I've managed to lower the number of search requests needed without having to rely on any sorting. Ciao, Michael. Chun Tat David Chu wrote: > Hi group, > > I've a question about deleting the hierarchy tree using the Fedora DS > provided command line utilities (e.g. ldapdelete, ldapsearch, ldapmodify > and etc). > > Originally, I'm using the "ldapdelete" command from the openldapclient > package with the "-r" flag to do recursive delete on the hierarchy tree, > but I want to know if there's anyway I can achieve the same effect by > using command line utilities from the Fedora DS package. > > My original thought is to use ldapsearch, set it to return only the "dn" > attribute and sorted by "createtimestamp" attribute. Then use the > returned result and run the ldapdelete command. Assuming a child entry > must have a later "createtimestamp" then parent entry. However, the > result returned back from ldapsearch is in ascending order of the > "createtimestamp" attribute. > > Is there a way to tell the ldapsearch command to sort returned result in > descending order? or > Is there a more efficient way to delete a hierarchy tree through command > line? > > Thanks! > > David > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Michael Str?der Klauprechtstr. 11 Dipl.-Inform. D-76137 Karlsruhe, Germany Tel.: +49 721 8304316 Mobil: +49 170 2391920 E-Mail: michael at stroeder.com http://www.stroeder.com From Bernhard.Kronsteiner at cbc-x.com Fri Apr 18 11:57:39 2008 From: Bernhard.Kronsteiner at cbc-x.com (Kronsteiner Bernhard) Date: Fri, 18 Apr 2008 13:57:39 +0200 Subject: [Fedora-directory-users] Group membership Message-ID: <070019A957929B46B1DA5D74CA2F8AD46B8805@exchange.cobeco.local> Hi all! I have two installations of the fedora directory server, A and B. Now I have users which are located on the server B who should have to be in groups auf server A. Is this possible in a way or do I have to replicate those users who should have permissions on server A? Thanks in advance, Bernhard _______________________________________ DI (FH) Bernhard Kronsteiner Software Development computer betting company gmbh Commerz Park West | 4061 Pasching | Austria Phone: +43.732.681666 - 0 Bernhard.Kronsteiner at cbc-x.com | www.cbc-x.com Company Headquarters: Fuchselbachstrasse 7 | 4060 Leonding | Austria Executive Board: Peter Matausch, Mag. Karl Sturmer -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: cbc-x_logo.gif Type: image/gif Size: 7042 bytes Desc: not available URL: From beyonddc.storage at gmail.com Fri Apr 18 14:26:03 2008 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Fri, 18 Apr 2008 10:26:03 -0400 Subject: [Fedora-directory-users] Question on hierarchy tree deletion In-Reply-To: References: <20e4c38c0804171101x53fe8e4chc97178bcf4237617@mail.gmail.com> <20e4c38c0804171132q10ba9015ibfb78da3830ade2d@mail.gmail.com> Message-ID: <20e4c38c0804180726nfb64112j421d4a1a86fad960@mail.gmail.com> Joona, Do you mind to show me how to sort by DN length? and execute the ldapdelete? I looked at it a bit but I couldn't figure out. Thanks! David On Fri, Apr 18, 2008 at 6:41 AM, J. Hartman wrote: > Hi, > > I've done subtree deletion sometimes by sorting based on DN length. Delete > longest DNs first and it's certain that they are the leafs. The whole thing > can be done in a one-liner. > > -Joona > > On Thu, Apr 17, 2008 at 9:32 PM, Chun Tat David Chu < > beyonddc.storage at gmail.com> wrote: > > > Hi group, > > > > I figured out how to sort in descending order using ldapsearch. > > > > By default, it will always sort in ascending order. If I need to sort > > in descending then I need to add a "-" prefix before my attribute name. > > (e.g. -S -createtimestamp). > > > > In addition, I can only get the descending search work only if I specify > > the sorting to be done by the server by passing the "-x" flag. > > > > I still have the question about what is the best way to delete a > > hierarchy tree using command line utility provided by Fedora-DS package. > > > > My current plan is to do a ldapsearch with subtree scope and sort the > > createtimestamp attribute in descending order. Then take the output and run > > it with ldapdelete. > > > > Thanks! > > > > David > > > > > > On Thu, Apr 17, 2008 at 2:01 PM, Chun Tat David Chu < > > beyonddc.storage at gmail.com> wrote: > > > > > Hi group, > > > > > > I've a question about deleting the hierarchy tree using the Fedora DS > > > provided command line utilities (e.g. ldapdelete, ldapsearch, ldapmodify and > > > etc). > > > > > > Originally, I'm using the "ldapdelete" command from the openldapclient > > > package with the "-r" flag to do recursive delete on the hierarchy tree, but > > > I want to know if there's anyway I can achieve the same effect by using > > > command line utilities from the Fedora DS package. > > > > > > My original thought is to use ldapsearch, set it to return only the > > > "dn" attribute and sorted by "createtimestamp" attribute. Then use the > > > returned result and run the ldapdelete command. Assuming a child entry must > > > have a later "createtimestamp" then parent entry. However, the result > > > returned back from ldapsearch is in ascending order of the "createtimestamp" > > > attribute. > > > > > > Is there a way to tell the ldapsearch command to sort returned result > > > in descending order? or > > > Is there a more efficient way to delete a hierarchy tree through > > > command line? > > > > > > Thanks! > > > > > > David > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pthagonal at gmail.com Fri Apr 18 21:59:58 2008 From: pthagonal at gmail.com (Tony) Date: Fri, 18 Apr 2008 22:59:58 +0100 Subject: [Fedora-directory-users] error while using migrate-ds-admin.pl from 1.04 to 1.1.0 Message-ID: <50ad34450804181459j6588b960lb134fedc36aeb88e@mail.gmail.com> Hi, I'm trying to upgrade from 1.0.4 to 1.1.0 on a CentOS 5 system. I tested everything in a vm and all went fine, but come to the real live server and when I try to migrate the data, this happens: [root at sputnik ~]# migrate-ds-admin.pl -f temp.inf Beginning migration of Directory and Administration servers from /opt/fedora-ds . . . Beginning migration of directory server instances in /opt/fedora-ds . . . Your new DS instance 'slapd-directory' was successfully created. [18/Apr/2008:22:34:50 +0100] createprlistensockets - PR_Bind() on All Interfaces port 389 failed: Netscape Portable Runtime error -5982 (Local Network address is in use.) [18/Apr/2008:22:34:50 +0100] createprlistensockets - PR_Bind() on All Interfaces port 389 failed: Netscape Portable Runtime error -5982 (Local Network address is in use.) Could not start the directory server using command '/usr/lib/dirsrv/slapd-directory/start-slapd'. The last line from the error log was '[18/Apr/2008:22:34:50 +0100] createprlistensockets - PR_Bind() on All Interfaces port 389 failed: Netscape Portable Runtime error -5982 (Local Network address is in use.) '. Error: Unknown error 256 Exiting . . . Log file is '/tmp/migrateCGDfkB.log' Anyone seen this before, or can help me get around it? I think the migrate script is trying to start the new ldap server having not managed to stop the old one- does that make sense? But the old version has to be running in order to do the migration.... catch 22? Cheers, Tony -------------- next part -------------- An HTML attachment was scrubbed... URL: From howard at cohtech.com Sat Apr 19 09:12:55 2008 From: howard at cohtech.com (Howard Wilkinson) Date: Sat, 19 Apr 2008 10:12:55 +0100 Subject: [Fedora-directory-users] Passwords with Unicode characters Message-ID: <4809B797.3040103@cohtech.com> We have run into a 'funny' when using the password_modify plugin we get an unexpected result in trying to set a password. The password used had a '?' (British Pund Symbol) in it. The server accepted the password but would not allow the use of the same string to log in. I suspect that the passwords are being 8th bit stripped. Is this possible, correct, and what should happen? Is there any facility to set a Unicode string as a password. If so what format (UTF-8, UTF-16[BE|LE], ...) should it take. Regards, Howard -- Howard Wilkinson Phone: +44(20)76907075 Coherent Technology Limited Fax: 23 Northampton Square, Mobile: +44(7980)639379 United Kingdom, EC1V 0HL Email: howard at cohtech.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From howard at cohtech.com Sat Apr 19 10:40:27 2008 From: howard at cohtech.com (Howard Wilkinson) Date: Sat, 19 Apr 2008 11:40:27 +0100 Subject: [Fedora-directory-users] Passwords with Unicode characters In-Reply-To: <4809B797.3040103@cohtech.com> References: <4809B797.3040103@cohtech.com> Message-ID: <4809CC1B.7030508@cohtech.com> Howard Wilkinson wrote: > We have run into a 'funny' when using the password_modify plugin we > get an unexpected result in trying to set a password. The password > used had a '?' (British Pund Symbol) in it. The server accepted the > password but would not allow the use of the same string to log in. I > suspect that the passwords are being 8th bit stripped. Is this > possible, correct, and what should happen? > > Is there any facility to set a Unicode string as a password. If so > what format (UTF-8, UTF-16[BE|LE], ...) should it take. > > Regards, Howard > -- > > Howard Wilkinson > > > > Phone: > > > > +44(20)76907075 > > Coherent Technology Limited > > > > Fax: > > > > > > 23 Northampton Square, > > > > Mobile: > > > > +44(7980)639379 > > United Kingdom, EC1V 0HL > > > > Email: > > > > howard at cohtech.com > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > I have made this work by switching off 7-bit clean, and changing the password complexity so that the minimum of each class is zero and there is a requirement for 3 classes. BUT there is a definite bug in the 7-bit clean interface as it removes the 8th-bit and does not reject the request when setting the password. I would have expected a code 19 - Constraint violation in this case. -- Howard Wilkinson Phone: +44(20)76907075 Coherent Technology Limited Fax: 23 Northampton Square, Mobile: +44(7980)639379 United Kingdom, EC1V 0HL Email: howard at cohtech.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From itonohito at gmail.com Sat Apr 19 11:03:17 2008 From: itonohito at gmail.com (Itonohito) Date: Sat, 19 Apr 2008 14:03:17 +0300 Subject: [Fedora-directory-users] DS doesn't load sudo and host attribute schemas - just silently ignores them Message-ID: <4809D175.7090809@gmail.com> Hello! I've installed Fedora DS 1.1 at Fedora Core 7. Configured and running. Now I'm trying to add two following schemas to it: 1. Schema, adding host attribute to restrict login access for users per host basis: #--------------------------------------------------------------------- # dn: cn=schema # #--------------------------------------------------------------------- # # objectClasses: ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject' DESC 'Auxiliary object class for adding authorizedService attribute' SUP top AUXILIARY MAY authorizedService ) # objectClasses: ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject' DESC 'Auxiliary object class for adding authorizedService attribute' SUP top AUXILIARY MAY authorizedService ) # #--------------------------------------------------------------------- # # objectClasses: ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject' DESC 'Auxiliary object class for adding host attribute' SUP top AUXILIARY MAY host ) # objectClasses: ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject' DESC 'Auxiliary object class for adding host attribute' SUP top AUXILIARY MAY host ) # #--------------------------------------------------------------------- # # attributeTypes: ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService' DESC 'IANA GSS-API authorized service name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) # attributeTypes: ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService' DESC 'IANA GSS-API authorized service name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) 2. Schema for sudo support: #--------------------------------------------------------------------- # dn: cn=schema # #--------------------------------------------------------------------- # # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # #--------------------------------------------------------------------- # # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # #--------------------------------------------------------------------- # # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # #--------------------------------------------------------------------- # # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) Both are created by RFC2252 compliant convertor ol2rhds.pl, found in Fedora DS Wiki site. I placed that two schemas as files 70host.ldif and 71sudoers.ldif into schema subdirectory of dirsrv (to be exact - I placed three schemas, but third one - for dhcp, works fine). And restarted server. But server doesn't load them, looks like it even doesn't see them. They have ownership and permissions exactly the same as all other schema files in that directory though. Here's full list of schema files: 00core.ldif 01common.ldif 05rfc2247.ldif 05rfc2927.ldif 10presence.ldif 10rfc2307.ldif 20subscriber.ldif 25java-object.ldif 28pilot.ldif 30ns-common.ldif 50ns-admin.ldif 50ns-certificate.ldif 50ns-directory.ldif 50ns-mail.ldif 50ns-value.ldif 50ns-web.ldif 60pam-plugin.ldif 64ldapdhcp.ldif 70host.ldif 71sudoers.ldif 99user.ldif And I see no errors in error-log. I turned on output of all debug data into log file via Management Console and restarted server again - there are huge amount of debug info in the error-log - but nothing about that two schemas... Here goes part of log, where server loads schema files: [19/Apr/2008:06:51:43 -0400] - => str2entry_dupcheck [19/Apr/2008:06:51:43 -0400] - <= str2entry_dupcheck 0x6cb0a0 "cn=schema" [19/Apr/2008:06:51:43 -0400] - dse_read_one_file processing entry "cn=schema" in file /etc/dirsrv/slapd-ldap1/schema/60pam-plugin.ldif [19/Apr/2008:06:51:43 -0400] - slapi_str2entry: flags=0xc0, entry="# #***********************************************..." [19/Apr/2008:06:51:43 -0400] - => str2entry_dupcheck [19/Apr/2008:06:51:43 -0400] - <= str2entry_dupcheck 0x6cb0a0 "cn=schema" [19/Apr/2008:06:51:43 -0400] - dse_read_one_file processing entry "cn=schema" in file /etc/dirsrv/slapd-ldap1/schema/64ldapdhcp.ldif [19/Apr/2008:06:51:43 -0400] - slapi_str2entry: flags=0xc0, entry="dn: cn=schema objectClass: top objectClass: ldapSu..." [19/Apr/2008:06:51:43 -0400] - => str2entry_dupcheck [19/Apr/2008:06:51:43 -0400] - <= str2entry_dupcheck 0x6cb0a0 "cn=schema" [19/Apr/2008:06:51:43 -0400] - dse_read_one_file processing entry "cn=schema" in file /etc/dirsrv/slapd-ldap1/schema/99user.ldif (primary file) Can somebody give me any clue? What I missed, what I did wrong?... -- Yours truly, Oleg From rmeggins at redhat.com Sat Apr 19 14:53:28 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Sat, 19 Apr 2008 08:53:28 -0600 Subject: [Fedora-directory-users] error while using migrate-ds-admin.pl from 1.04 to 1.1.0 In-Reply-To: <50ad34450804181459j6588b960lb134fedc36aeb88e@mail.gmail.com> References: <50ad34450804181459j6588b960lb134fedc36aeb88e@mail.gmail.com> Message-ID: <480A0768.2020804@redhat.com> Tony wrote: > Hi, > > I'm trying to upgrade from 1.0.4 to 1.1.0 on a CentOS 5 system. I > tested everything in a vm and all went fine, but come to the real live > server and when I try to migrate the data, this happens: > > [root at sputnik ~]# migrate-ds-admin.pl -f temp.inf > Beginning migration of Directory and Administration servers from > /opt/fedora-ds . . . > Beginning migration of directory server instances in /opt/fedora-ds . . . > Your new DS instance 'slapd-directory' was successfully created. > [18/Apr/2008:22:34:50 +0100] createprlistensockets - PR_Bind() on All > Interfaces port 389 failed: Netscape Portable Runtime error -5982 > (Local Network address is in use.) > [18/Apr/2008:22:34:50 +0100] createprlistensockets - PR_Bind() on All > Interfaces port 389 failed: Netscape Portable Runtime error -5982 > (Local Network address is in use.) > Could not start the directory server using command > '/usr/lib/dirsrv/slapd-directory/start-slapd'. The last line from the > error log was '[18/Apr/2008:22:34:50 +0100] createprlistensockets - > PR_Bind() on All Interfaces port 389 failed: Netscape Portable Runtime > error -5982 (Local Network address is in use.) > '. Error: Unknown error 256 > Exiting . . . > Log file is '/tmp/migrateCGDfkB.log' > > Anyone seen this before, or can help me get around it? I think the > migrate script is trying to start the new ldap server having not > managed to stop the old one- does that make sense? But the old version > has to be running in order to do the migration.... catch 22? The old version should not be running. Is there some documentation that leads you to believe that the old version has to be running? If so, we need to fix it. > > Cheers, > > Tony > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Sat Apr 19 15:03:06 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Sat, 19 Apr 2008 09:03:06 -0600 Subject: [Fedora-directory-users] DS doesn't load sudo and host attribute schemas - just silently ignores them In-Reply-To: <4809D175.7090809@gmail.com> References: <4809D175.7090809@gmail.com> Message-ID: <480A09AA.1080801@redhat.com> Itonohito wrote: > Hello! > > I've installed Fedora DS 1.1 at Fedora Core 7. Configured and running. > Now I'm trying to add two following schemas to it: > > 1. Schema, adding host attribute to restrict login access for users > per host basis: > #--------------------------------------------------------------------- > # > dn: cn=schema > # > #--------------------------------------------------------------------- > # > # objectClasses: ( 1.3.6.1.4.1.5322.17.1.1 NAME > 'authorizedServiceObject' DESC 'Auxiliary object class for adding > authorizedService attribute' SUP top AUXILIARY MAY authorizedService ) > # > objectClasses: ( > 1.3.6.1.4.1.5322.17.1.1 > NAME 'authorizedServiceObject' > DESC 'Auxiliary object class for adding authorizedService attribute' > SUP top > AUXILIARY > MAY authorizedService > ) > # > #--------------------------------------------------------------------- > # > # objectClasses: ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject' DESC > 'Auxiliary object class for adding host attribute' SUP top AUXILIARY > MAY host ) > # > objectClasses: ( > 1.3.6.1.4.1.5322.17.1.2 > NAME 'hostObject' > DESC 'Auxiliary object class for adding host attribute' > SUP top > AUXILIARY > MAY host > ) > # > #--------------------------------------------------------------------- > # > # attributeTypes: ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService' > DESC 'IANA GSS-API authorized service name' EQUALITY caseIgnoreMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) > # > attributeTypes: ( > 1.3.6.1.4.1.5322.17.2.1 > NAME 'authorizedService' > DESC 'IANA GSS-API authorized service name' > EQUALITY caseIgnoreMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} > ) > > > 2. Schema for sudo support: > #--------------------------------------------------------------------- > # > dn: cn=schema > # > #--------------------------------------------------------------------- > # > # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC > 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR > caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) > # > attributeTypes: ( > 1.3.6.1.4.1.15953.9.1.1 > NAME 'sudoUser' > DESC 'User(s) who may run sudo' > EQUALITY caseExactIA5Match > SUBSTR caseExactIA5SubstringsMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 > ) > # > #--------------------------------------------------------------------- > # > # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC > 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR > caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) > # > attributeTypes: ( > 1.3.6.1.4.1.15953.9.1.2 > NAME 'sudoHost' > DESC 'Host(s) who may run sudo' > EQUALITY caseExactIA5Match > SUBSTR caseExactIA5SubstringsMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 > ) > # > #--------------------------------------------------------------------- > # > # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC > 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX > 1.3.6.1.4.1.1466.115.121.1.26 ) > # > attributeTypes: ( > 1.3.6.1.4.1.15953.9.1.3 > NAME 'sudoCommand' > DESC 'Command(s) to be executed by sudo' > EQUALITY caseExactIA5Match > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 > ) > # > #--------------------------------------------------------------------- > # > # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC > 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX > 1.3.6.1.4.1.1466.115.121.1.26 ) > # > attributeTypes: ( > 1.3.6.1.4.1.15953.9.1.4 > NAME 'sudoRunAs' > DESC 'User(s) impersonated by sudo' > EQUALITY caseExactIA5Match > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 > ) > > > Both are created by RFC2252 compliant convertor ol2rhds.pl, found in > Fedora DS Wiki site. > > I placed that two schemas as files 70host.ldif and 71sudoers.ldif into > schema subdirectory of dirsrv (to be exact - I placed three schemas, > but third one - for dhcp, works fine). And restarted server. /etc/dirsrv/schema is the schema used when creating new instances of directory server. If you already have an instance (e.g. /etc/dirsrv/slapd-foo) you should copy the schema files into /etc/dirsrv/slapd-foo/schema. > But server doesn't load them, looks like it even doesn't see them. > They have ownership and permissions exactly the same as all other > schema files in that directory though. Here's full list of schema files: > > 00core.ldif > 01common.ldif > 05rfc2247.ldif > 05rfc2927.ldif > 10presence.ldif > 10rfc2307.ldif > 20subscriber.ldif > 25java-object.ldif > 28pilot.ldif > 30ns-common.ldif > 50ns-admin.ldif > 50ns-certificate.ldif > 50ns-directory.ldif > 50ns-mail.ldif > 50ns-value.ldif > 50ns-web.ldif > 60pam-plugin.ldif > 64ldapdhcp.ldif > 70host.ldif > 71sudoers.ldif > 99user.ldif > > And I see no errors in error-log. I turned on output of all debug data > into log file via Management Console and restarted server again - > there are huge amount of debug info in the error-log - but nothing > about that two schemas... > Here goes part of log, where server loads schema files: > > [19/Apr/2008:06:51:43 -0400] - => str2entry_dupcheck > [19/Apr/2008:06:51:43 -0400] - <= str2entry_dupcheck 0x6cb0a0 "cn=schema" > [19/Apr/2008:06:51:43 -0400] - dse_read_one_file processing entry > "cn=schema" in file /etc/dirsrv/slapd-ldap1/schema/60pam-plugin.ldif > [19/Apr/2008:06:51:43 -0400] - slapi_str2entry: flags=0xc0, entry="# > #***********************************************..." > [19/Apr/2008:06:51:43 -0400] - => str2entry_dupcheck > [19/Apr/2008:06:51:43 -0400] - <= str2entry_dupcheck 0x6cb0a0 "cn=schema" > [19/Apr/2008:06:51:43 -0400] - dse_read_one_file processing entry > "cn=schema" in file /etc/dirsrv/slapd-ldap1/schema/64ldapdhcp.ldif > [19/Apr/2008:06:51:43 -0400] - slapi_str2entry: flags=0xc0, entry="dn: > cn=schema > objectClass: top > objectClass: ldapSu..." > [19/Apr/2008:06:51:43 -0400] - => str2entry_dupcheck > [19/Apr/2008:06:51:43 -0400] - <= str2entry_dupcheck 0x6cb0a0 "cn=schema" > [19/Apr/2008:06:51:43 -0400] - dse_read_one_file processing entry > "cn=schema" in file /etc/dirsrv/slapd-ldap1/schema/99user.ldif > (primary file) > > > Can somebody give me any clue? What I missed, what I did wrong?... > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From pthagonal at gmail.com Sun Apr 20 16:08:13 2008 From: pthagonal at gmail.com (Tony) Date: Sun, 20 Apr 2008 17:08:13 +0100 Subject: [Fedora-directory-users] error while using migrate-ds-admin.pl from 1.04 to 1.1.0 In-Reply-To: <480A0768.2020804@redhat.com> References: <50ad34450804181459j6588b960lb134fedc36aeb88e@mail.gmail.com> <480A0768.2020804@redhat.com> Message-ID: <50ad34450804200908i50a42856gf02416a030ee9271@mail.gmail.com> On Sat, Apr 19, 2008 at 3:53 PM, Rich Megginson wrote: > Tony wrote: > > > I'm trying to upgrade from 1.0.4 to 1.1.0 on a CentOS 5 system. I > > tested everything in a vm and all went fine, but come to the real live > > server and when I try to migrate the data, this happens: > > > > [root at sputnik ~]# migrate-ds-admin.pl -f temp.inf > > Beginning migration of Directory and Administration servers from > > /opt/fedora-ds . . . > > Beginning migration of directory server instances in /opt/fedora-ds . . > > . > > Your new DS instance 'slapd-directory' was successfully created. > > [18/Apr/2008:22:34:50 +0100] createprlistensockets - PR_Bind() on All > > Interfaces port 389 failed: Netscape Portable Runtime error -5982 (Local > > Network address is in use.) > > [18/Apr/2008:22:34:50 +0100] createprlistensockets - PR_Bind() on All > > Interfaces port 389 failed: Netscape Portable Runtime error -5982 (Local > > Network address is in use.) > > Could not start the directory server using command > > '/usr/lib/dirsrv/slapd-directory/start-slapd'. The last line from the error > > log was '[18/Apr/2008:22:34:50 +0100] createprlistensockets - PR_Bind() on > > All Interfaces port 389 failed: Netscape Portable Runtime error -5982 (Local > > Network address is in use.) > > '. Error: Unknown error 256 > > Exiting . . . > > Log file is '/tmp/migrateCGDfkB.log' > > > > Anyone seen this before, or can help me get around it? I think the > > migrate script is trying to start the new ldap server having not managed to > > stop the old one- does that make sense? But the old version has to be > > running in order to do the migration.... catch 22? > > > The old version should not be running. Is there some documentation that > leads you to believe that the old version has to be running? If so, we need > to fix it. Ah, that would be it then- bit obvious really. I don't think I saw anything to say either way whether the services should be running or not. I wasn't taking enough notice on my test run and simply assumed that because the new services were running after the migrate script had run that the old ones must have been running beforehand - a sort of symmetry. But with standard init scripts being a new thing in this release I guess it would be tricky to have detected and/or stopped the old services in a reliable way within the script. I ran the migration again with the services initially stopped and it worked just fine of course. Thanks for your help. Cheers, Tony -------------- next part -------------- An HTML attachment was scrubbed... URL: From joona.hartman at gmail.com Mon Apr 21 14:04:33 2008 From: joona.hartman at gmail.com (J. Hartman) Date: Mon, 21 Apr 2008 17:04:33 +0300 Subject: [Fedora-directory-users] Question on hierarchy tree deletion In-Reply-To: <20e4c38c0804180726nfb64112j421d4a1a86fad960@mail.gmail.com> References: <20e4c38c0804171101x53fe8e4chc97178bcf4237617@mail.gmail.com> <20e4c38c0804171132q10ba9015ibfb78da3830ade2d@mail.gmail.com> <20e4c38c0804180726nfb64112j421d4a1a86fad960@mail.gmail.com> Message-ID: I can't remember how exactly I did it, but I recall I used awk and sort in between to count the line length (awk) and do numeric sort on the resulting line. Something like this: $ ldapsearch -b BASEDN "objectclass=*" | awk '/dn:/ {l=length($0); sub(/dn:/,""); print l $0}' | sort -n | cut ... | ldapdelete ... Gets a bit nasty but something like that should work. Hope that helps! On Fri, Apr 18, 2008 at 5:26 PM, Chun Tat David Chu < beyonddc.storage at gmail.com> wrote: > Joona, > > Do you mind to show me how to sort by DN length? and execute the > ldapdelete? > I looked at it a bit but I couldn't figure out. > > Thanks! > > David > > > On Fri, Apr 18, 2008 at 6:41 AM, J. Hartman > wrote: > > > Hi, > > > > I've done subtree deletion sometimes by sorting based on DN length. > > Delete longest DNs first and it's certain that they are the leafs. The whole > > thing can be done in a one-liner. > > > > -Joona > > > > On Thu, Apr 17, 2008 at 9:32 PM, Chun Tat David Chu < > > beyonddc.storage at gmail.com> wrote: > > > > > Hi group, > > > > > > I figured out how to sort in descending order using ldapsearch. > > > > > > By default, it will always sort in ascending order. If I need to sort > > > in descending then I need to add a "-" prefix before my attribute name. > > > (e.g. -S -createtimestamp). > > > > > > In addition, I can only get the descending search work only if I > > > specify the sorting to be done by the server by passing the "-x" flag. > > > > > > I still have the question about what is the best way to delete a > > > hierarchy tree using command line utility provided by Fedora-DS package. > > > > > > My current plan is to do a ldapsearch with subtree scope and sort the > > > createtimestamp attribute in descending order. Then take the output and run > > > it with ldapdelete. > > > > > > Thanks! > > > > > > David > > > > > > > > > On Thu, Apr 17, 2008 at 2:01 PM, Chun Tat David Chu < > > > beyonddc.storage at gmail.com> wrote: > > > > > > > Hi group, > > > > > > > > I've a question about deleting the hierarchy tree using the Fedora > > > > DS provided command line utilities (e.g. ldapdelete, ldapsearch, ldapmodify > > > > and etc). > > > > > > > > Originally, I'm using the "ldapdelete" command from the > > > > openldapclient package with the "-r" flag to do recursive delete on the > > > > hierarchy tree, but I want to know if there's anyway I can achieve the same > > > > effect by using command line utilities from the Fedora DS package. > > > > > > > > My original thought is to use ldapsearch, set it to return only the > > > > "dn" attribute and sorted by "createtimestamp" attribute. Then use the > > > > returned result and run the ldapdelete command. Assuming a child entry must > > > > have a later "createtimestamp" then parent entry. However, the result > > > > returned back from ldapsearch is in ascending order of the "createtimestamp" > > > > attribute. > > > > > > > > Is there a way to tell the ldapsearch command to sort returned > > > > result in descending order? or > > > > Is there a more efficient way to delete a hierarchy tree through > > > > command line? > > > > > > > > Thanks! > > > > > > > > David > > > > > > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From beyonddc.storage at gmail.com Mon Apr 21 14:30:59 2008 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Mon, 21 Apr 2008 10:30:59 -0400 Subject: [Fedora-directory-users] Question on hierarchy tree deletion In-Reply-To: References: <20e4c38c0804171101x53fe8e4chc97178bcf4237617@mail.gmail.com> <20e4c38c0804171132q10ba9015ibfb78da3830ade2d@mail.gmail.com> <20e4c38c0804180726nfb64112j421d4a1a86fad960@mail.gmail.com> Message-ID: <20e4c38c0804210730w657a83b8t26252e173b4d5b4e@mail.gmail.com> Great! I'll try that out. Thanks, David On Mon, Apr 21, 2008 at 10:04 AM, J. Hartman wrote: > I can't remember how exactly I did it, but I recall I used awk and sort in > between to count the line length (awk) and do numeric sort on the resulting > line. > > Something like this: > > $ ldapsearch -b BASEDN "objectclass=*" | awk '/dn:/ {l=length($0); > sub(/dn:/,""); print l $0}' | sort -n | cut ... | ldapdelete ... > > Gets a bit nasty but something like that should work. > > Hope that helps! > > > On Fri, Apr 18, 2008 at 5:26 PM, Chun Tat David Chu < > beyonddc.storage at gmail.com> wrote: > > > Joona, > > > > Do you mind to show me how to sort by DN length? and execute the > > ldapdelete? > > I looked at it a bit but I couldn't figure out. > > > > Thanks! > > > > David > > > > > > On Fri, Apr 18, 2008 at 6:41 AM, J. Hartman > > wrote: > > > > > Hi, > > > > > > I've done subtree deletion sometimes by sorting based on DN length. > > > Delete longest DNs first and it's certain that they are the leafs. The whole > > > thing can be done in a one-liner. > > > > > > -Joona > > > > > > On Thu, Apr 17, 2008 at 9:32 PM, Chun Tat David Chu < > > > beyonddc.storage at gmail.com> wrote: > > > > > > > Hi group, > > > > > > > > I figured out how to sort in descending order using ldapsearch. > > > > > > > > By default, it will always sort in ascending order. If I need to > > > > sort in descending then I need to add a "-" prefix before my attribute > > > > name. (e.g. -S -createtimestamp). > > > > > > > > In addition, I can only get the descending search work only if I > > > > specify the sorting to be done by the server by passing the "-x" flag. > > > > > > > > I still have the question about what is the best way to delete a > > > > hierarchy tree using command line utility provided by Fedora-DS package. > > > > > > > > My current plan is to do a ldapsearch with subtree scope and sort > > > > the createtimestamp attribute in descending order. Then take the output and > > > > run it with ldapdelete. > > > > > > > > Thanks! > > > > > > > > David > > > > > > > > > > > > On Thu, Apr 17, 2008 at 2:01 PM, Chun Tat David Chu < > > > > beyonddc.storage at gmail.com> wrote: > > > > > > > > > Hi group, > > > > > > > > > > I've a question about deleting the hierarchy tree using the Fedora > > > > > DS provided command line utilities (e.g. ldapdelete, ldapsearch, ldapmodify > > > > > and etc). > > > > > > > > > > Originally, I'm using the "ldapdelete" command from the > > > > > openldapclient package with the "-r" flag to do recursive delete on the > > > > > hierarchy tree, but I want to know if there's anyway I can achieve the same > > > > > effect by using command line utilities from the Fedora DS package. > > > > > > > > > > My original thought is to use ldapsearch, set it to return only > > > > > the "dn" attribute and sorted by "createtimestamp" attribute. Then use the > > > > > returned result and run the ldapdelete command. Assuming a child entry must > > > > > have a later "createtimestamp" then parent entry. However, the result > > > > > returned back from ldapsearch is in ascending order of the "createtimestamp" > > > > > attribute. > > > > > > > > > > Is there a way to tell the ldapsearch command to sort returned > > > > > result in descending order? or > > > > > Is there a more efficient way to delete a hierarchy tree through > > > > > command line? > > > > > > > > > > Thanks! > > > > > > > > > > David > > > > > > > > > > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ggistra at aol.com Mon Apr 21 15:44:31 2008 From: ggistra at aol.com (ggistra at aol.com) Date: Mon, 21 Apr 2008 11:44:31 -0400 Subject: [Fedora-directory-users] Using EXTERNAL SASL authentication mechanism Message-ID: <8CA71DDB99D87BF-154C-13D3@mblk-d15.sysops.aol.com> Can the SASL EXTERNAL mechanism be used to support symmetric key authentication (non-Kerberos)? Is there any docummentation on how to configure it? How about documentation on?using?the DIGEST-MD5 authentication method? Thanks, Gabi Istrail -------------- next part -------------- An HTML attachment was scrubbed... URL: From girishkumar at mtnl.net.in Tue Apr 22 08:12:14 2008 From: girishkumar at mtnl.net.in (girishkumar at mtnl.net.in) Date: Tue, 22 Apr 2008 13:12:14 +0500 Subject: [Fedora-directory-users] Query Regarding Fedora Directory server 1.0.4 Message-ID: Hello, We wish to use Fedora directory server 1.0.4 for our application.The operating system we use is of Linux Enterprise edition 5.1. Is it possible to use Fedora 1.0.4 with Linux EL 5.1. If so, what are the tasks we have to do.? Girish Kumar .G JTO - Internet From solarflow99 at gmail.com Tue Apr 22 09:10:41 2008 From: solarflow99 at gmail.com (solarflow99) Date: Tue, 22 Apr 2008 10:10:41 +0100 Subject: [Fedora-directory-users] Query Regarding Fedora Directory server 1.0.4 In-Reply-To: References: Message-ID: <7020fd000804220210n1e8323bey9f906b0208dc8a92@mail.gmail.com> i'm not sure 1.04 works on rhel5, if you can use FDS 1.1 it does work very well. There are simple instructions in the wiki. On 4/22/08, girishkumar at mtnl.net.in wrote: > > Hello, > We wish to use Fedora directory server 1.0.4 for our application.The > operating system we use is of Linux Enterprise edition 5.1. Is it > possible to use Fedora 1.0.4 with Linux EL 5.1. If so, what are the > tasks we have to do.? > > Girish Kumar .G > JTO - Internet > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Apr 22 13:09:16 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 22 Apr 2008 07:09:16 -0600 Subject: [Fedora-directory-users] Query Regarding Fedora Directory server 1.0.4 In-Reply-To: References: Message-ID: <480DE37C.5000502@redhat.com> girishkumar at mtnl.net.in wrote: > Hello, > We wish to use Fedora directory server 1.0.4 for our application.The > operating system we use is of Linux Enterprise edition 5.1. Is it > possible to use Fedora 1.0.4 with Linux EL 5.1. If so, what are the > tasks we have to do.? > Use the Fedora Core 6 RPM on EL 5 > Girish Kumar .G > JTO - Internet > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From girishkumar at mtnl.net.in Tue Apr 22 06:36:32 2008 From: girishkumar at mtnl.net.in (girishkumar at mtnl.net.in) Date: Tue, 22 Apr 2008 11:36:32 +0500 Subject: [Fedora-directory-users] Query Regarding Fedora Directory server 1.0.4 Message-ID: <3c545770.57703c54@mtnl.net.in> Hello, We wish to use Fedora directory server 1.0.4 for our application.The operating system we use is of Linux Enterprise edition 5.0. Is it possible to use Fedora 1.0.4 with Linux EL 5.0. If so, what are the tasks we have to do.? Girish Kumar .G JTO - Internet From kevin.zona.mail at gmail.com Mon Apr 21 20:14:50 2008 From: kevin.zona.mail at gmail.com (Kevin Zona) Date: Mon, 21 Apr 2008 16:14:50 -0400 Subject: [Fedora-directory-users] timeout limit idle connections? Message-ID: We are seeing a lot of open connections to our server, and I was wondering what a suggested timeout value would be for connections. We have around 200 clients and two servers that have around 1000+ current connections. Any opinions appreciated, thanks. -Kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Apr 22 14:32:27 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 22 Apr 2008 08:32:27 -0600 Subject: [Fedora-directory-users] Query Regarding Fedora Directory server 1.0.4 In-Reply-To: <3c545770.57703c54@mtnl.net.in> References: <3c545770.57703c54@mtnl.net.in> Message-ID: <480DF6FB.2000805@redhat.com> girishkumar at mtnl.net.in wrote: > Hello, > We wish to use Fedora directory server 1.0.4 for our application. Why 1.0.4 instead of 1.1? > The > operating system we use is of Linux Enterprise edition 5.0. Is it > possible to use Fedora 1.0.4 with Linux EL 5.0. If so, what are the > tasks we have to do.? > Install the Fedora Core 6 RPM - then follow the install guide and setup instructions > Girish Kumar .G > JTO - Internet > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Apr 22 15:17:55 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 22 Apr 2008 09:17:55 -0600 Subject: [Fedora-directory-users] Security vulnerability in fedora-ds-admin (April 22, 2008) Message-ID: <480E01A3.201@redhat.com> The fedora-ds-admin-1.1.0 package has a couple of security vulnerabilities: * CVE-2008-0892 Directory Server: shell command injection in CGI replication monitor - https://bugzilla.redhat.com/show_bug.cgi?id=437301 * CVE-2008-0893 Directory Server: unrestricted access to CGI scripts - https://bugzilla.redhat.com/show_bug.cgi?id=437320 The new package is fedora-ds-admin-1.1.4-1 This package is available from the Fedora yum repository for F-7 and later, or from the dirsrv yum repo on Fedora 6 and EL5. See Install_Guide for information about how to use these yum repositories for your platform. There are also updates to the adminutil (new version 1.1.6) and to some of the other packages. These updates are recommended. *NOTE for Fedora 8 and later users:* all of the packages are now in the standard Fedora repos. Please remove your /etc/yum.repos.d/idmcommon.repo and /etc/yum.repos.d/dirsrv.repo files before you install or upgrade. See Install_Guide for more information. *NOTE for Fedora 6, 7 and EL5 users:* You may get an error about a missing dependency fedora-admin-console when upgrading. If you get this error, remove the old fedora-ds package (yum erase fedora-ds) and upgrade again. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From pauloviolada at gmail.com Wed Apr 23 02:24:35 2008 From: pauloviolada at gmail.com (Paulo Alberto) Date: Tue, 22 Apr 2008 23:24:35 -0300 Subject: [Fedora-directory-users] ACLUserCacheSize Message-ID: Hello, how do I increase the ACLUserCacheSize parameter? The default is 200, right? In the log files I see a lot of "acl__TestRights - cache overflown" messages. Thanks in advance. Paulo Alberto -------------- next part -------------- An HTML attachment was scrubbed... URL: From siggi at betware.com Wed Apr 23 15:19:45 2008 From: siggi at betware.com (=?iso-8859-1?Q?Sigur=F0ur_Bjarnason?=) Date: Wed, 23 Apr 2008 15:19:45 -0000 Subject: [Fedora-directory-users] Disallow Anonymous bind Message-ID: <9AAC0D944FD6334FB8635228AE7110C0D1DA6F@Exchange.betware.com> Hi All, Does any one have a clue on how to disallow anonymous bind to Fedora Directory server ? Regards Siggi -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Apr 23 16:22:55 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 23 Apr 2008 10:22:55 -0600 Subject: [Fedora-directory-users] Disallow Anonymous bind In-Reply-To: <9AAC0D944FD6334FB8635228AE7110C0D1DA6F@Exchange.betware.com> References: <9AAC0D944FD6334FB8635228AE7110C0D1DA6F@Exchange.betware.com> Message-ID: <480F625F.6010002@redhat.com> Sigur?ur Bjarnason wrote: > > Hi All, > > > > Does any one have a clue on how to disallow anonymous bind to Fedora > Directory server ? > Not possible currently. It's on the roadmap for a future release. > > > > > > Regards > > Siggi > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From pauloviolada at gmail.com Wed Apr 23 23:03:41 2008 From: pauloviolada at gmail.com (Paulo Alberto) Date: Wed, 23 Apr 2008 20:03:41 -0300 Subject: [Fedora-directory-users] FDS - SEGFAULT Message-ID: Hi, I'm getting a SEGFAULT with fedora-ds-1.1.0-3.fc6. The script below can reproduce this: ---------------------------------------- #!/bin/bash FILTER="1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111" for a in $(seq 1 5); do ldapsearch -w xxxxxxx -h h.h.h.h -x -b "o=xxxxxxxx" -D "uid=zzzzzzzz,ou=yyyyyy,ou=wwwwwww,ou=vvvvvvv,o=tttttttt" "(&(|(objectClass=inetorgperson)(objectClass=posixaccount))(|(cn=*$FILTER*)(mail=*$FILTER*)(mozillasecondemail=*$FILTER*)))" uidNumber uid cn givenName sn audio description labeledUri o ou title street l st postalCode telephoneNumber homePhone facsimileTelephoneNumber mobile pager mail roomNumber jpegPhoto displayName postalAddress userSMIMECertificate mozillaworkstreet2 c mozillahomestreet mozillahomestreet2 mozillahomelocalityname mozillahomestate mozillahomepostalcode mozillahomecountryname mozillasecondemail mozillahomeurl mozillapostaladdress2 co mozillahomepostaladdress2 birthDate note carPhone primaryPhone category businessRole assistantPhone assistantName fileAs homeFacsimileTelephoneNumber freeBusyURI calendarURI otherPhone callbackPhone entryuuid uid uidNumber objectClass createTimestamp modifyTimestamp creatorsName modifiersName done; --------------------------------------- Is it a bug, or I can limit the search filter length? The system is RHEL5.1 x86_64 and tested with Fedora8 i386 (same result). -------------- next part -------------- An HTML attachment was scrubbed... URL: From hamza.aissat at capgemini.com Wed Apr 23 15:15:20 2008 From: hamza.aissat at capgemini.com (Aissat, Hamza) Date: Wed, 23 Apr 2008 17:15:20 +0200 Subject: [Fedora-directory-users] Updating password issue Message-ID: Hi, I have installed and configured fds with "user must change his password after reset". I created a normal user and when i try to update my password with ldappasswd, i have this error message : Password has been reset by an administrator; you must change it. ldap_search: DSA is unwilling to perform How Can'I do to update my password? isn't here a chicken egg's problem? Thank's in advance This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. -------------- next part -------------- An HTML attachment was scrubbed... URL: From glenn at mail.txwes.edu Thu Apr 24 17:09:42 2008 From: glenn at mail.txwes.edu (Glenn) Date: Thu, 24 Apr 2008 12:09:42 -0500 Subject: [Fedora-directory-users] Gateway Access Message-ID: <20080424170445.M58335@mail.txwes.edu> Is it possible to limit access to the directory through the Directory Server Gateway? Ideally, we would like to make the gateway available only to the 10,000 users in our directory. The way it is configured now, anyone with access to the gateway web site can search the directory. We are running Fedora Directory 1.0.4. Thanks for any ideas. -G. From rmeggins at redhat.com Thu Apr 24 17:16:41 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 24 Apr 2008 11:16:41 -0600 Subject: [Fedora-directory-users] Gateway Access In-Reply-To: <20080424170445.M58335@mail.txwes.edu> References: <20080424170445.M58335@mail.txwes.edu> Message-ID: <4810C079.5080407@redhat.com> Glenn wrote: > Is it possible to limit access to the directory through the Directory Server > Gateway? Ideally, we would like to make the gateway available only to the > 10,000 users in our directory. The way it is configured now, anyone with > access to the gateway web site can search the directory. We are running > Fedora Directory 1.0.4. Thanks for any ideas. -G. > It might be possible to use the Apache access control. Take a look at /etc/dirsrv/admin-serv/admserv.conf. The main urls are protected by admin server access control, which requires ldap authentication to access those urls. > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Apr 24 21:23:44 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 24 Apr 2008 15:23:44 -0600 Subject: [Fedora-directory-users] Announcing web apps package for Fedora DS 1.1 - fedora-ds-dsgw Message-ID: <4810FA60.5090402@redhat.com> The web applications have been moved into a separate package called fedora-ds-dsgw. This package contains the Phonebook, Org Chart, and DS Gateway applications. This package is now available as an add-on for the fedora-ds-admin package. The shell script /usr/sbin/setup-ds-dsgw is provided to configure the applications and enable them to be used from the Admin Server home page (as in 1.0 and earlier versions). See the DSGW_Install_Guide for more information. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From alex at davz.net Wed Apr 30 08:34:08 2008 From: alex at davz.net (Alex Davies) Date: Wed, 30 Apr 2008 10:34:08 +0200 Subject: [Fedora-directory-users] FDS <-> AD: UID/GID and OU sync Message-ID: <5fb622120804300134j3281fd9fsa65e23df910aa4e9@mail.gmail.com> Hi All, We have an AD architecture setup, and are looking to sync FDS with this to allow us to authenticate Linux machines and network devices. We have two AD domains, and have a winsync and passsync setup with one of the domain controllers in each domain. This works, subject to the limitation that we have to manually create each OU. Once we create the OU in FDS, the users appear at the next sync. Question 1: is it possible to automatically sync *all* OU's, including creating the OU in FDS if it does not exist? We have hundreds of OUs, and I don't want to have to create them all manually. Question 2 is on UNIX UID/GID sync from AD. I've found a couple of posts which imply that it is not possible to sync UID/GUD from AD[1], but this was some time ago. An alternative piece of documentation suggests that it is, but provides no details[2]. I'm also struggling to find documentation on the libdna plugin, which I believe is involved[3]. My questions are - Is it possible to sync UID/GID from AD (where AD has the Unix Tools installed, and therefore has these attributes in the schema). - Is it possible to automatically apply a unique UID/GID to each user that does not have a UID/GID? Any help/pointers greatly appreciated. Many thanks, Alex [1] http://www.redhat.com/archives/fedora-directory-users/2007-February/msg00111.html [2] "Fedora DS gets posix/unix automatic uid generation (February 08, 2007) The cvs head now contains a new feature for automatic generation of sequenced numbers which is compatible with multi-master replication environments. This feature can be used for automatic generation of posix uidNumber and gidNumber in addition to other sequenced numeric attributes required by your deployment. " http://directory.fedoraproject.org/ [3] About the only referenceI can find: http://www.redhat.com/archives/fedora-directory-users/2008-January/msg00081.html From siggi at betware.com Wed Apr 30 11:00:19 2008 From: siggi at betware.com (=?iso-8859-1?Q?Sigur=F0ur_Bjarnason?=) Date: Wed, 30 Apr 2008 11:00:19 +0000 Subject: [Fedora-directory-users] Express web console Message-ID: Hi All Is there any way of securing the directory express console with htaccess without effects to the Fedora gui console access ? Regards Siggi -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Apr 30 14:27:58 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 30 Apr 2008 08:27:58 -0600 Subject: [Fedora-directory-users] FDS <-> AD: UID/GID and OU sync In-Reply-To: <5fb622120804300134j3281fd9fsa65e23df910aa4e9@mail.gmail.com> References: <5fb622120804300134j3281fd9fsa65e23df910aa4e9@mail.gmail.com> Message-ID: <481881EE.1010604@redhat.com> Alex Davies wrote: > Hi All, > > We have an AD architecture setup, and are looking to sync FDS with > this to allow us to authenticate Linux machines and network devices. > > We have two AD domains, and have a winsync and passsync setup with one > of the domain controllers in each domain. This works, subject to the > limitation that we have to manually create each OU. Once we create the > OU in FDS, the users appear at the next sync. Question 1: is it > possible to automatically sync *all* OU's, including creating the OU > in FDS if it does not exist? We have hundreds of OUs, and I don't want > to have to create them all manually. > Not sure. But I suppose it could be scripted if the init AD sync process does not create them. > Question 2 is on UNIX UID/GID sync from AD. I've found a couple of > posts which imply that it is not possible to sync UID/GUD from AD[1], > That is correct. > but this was some time ago. An alternative piece of documentation > suggests that it is,but provides no details[2]. It just says that you can have the directory server automatically assign uidNumber and gidNumber. It doesn't say anything about AD sync. > I'm also struggling > to find documentation on the libdna plugin, which I believe is > involved[3]. > We're working on it. > My questions are > - Is it possible to sync UID/GID from AD (where AD has the Unix Tools > installed, and therefore has these attributes in the schema). > No, not yet. We have to add support for the posix schema to our AD sync mechanism. This is on the roadmap. > - Is it possible to automatically apply a unique UID/GID to each user > that does not have a UID/GID? > Not after the fact. You'll have to write a script to do that. > Any help/pointers greatly appreciated. > > Many thanks, > > Alex > > > [1] http://www.redhat.com/archives/fedora-directory-users/2007-February/msg00111.html > [2] "Fedora DS gets posix/unix automatic uid generation (February 08, 2007) > The cvs head now contains a new feature for automatic generation of > sequenced numbers which is compatible with multi-master replication > environments. This feature can be used for automatic generation of > posix uidNumber and gidNumber in addition to other sequenced numeric > attributes required by your deployment. " > http://directory.fedoraproject.org/ > [3] About the only referenceI can find: > http://www.redhat.com/archives/fedora-directory-users/2008-January/msg00081.html > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Apr 30 14:28:39 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 30 Apr 2008 08:28:39 -0600 Subject: [Fedora-directory-users] Express web console In-Reply-To: References: Message-ID: <48188217.6040505@redhat.com> Sigur?ur Bjarnason wrote: > > Hi All > > > > Is there any way of securing the directory express console with > htaccess without effects to the Fedora gui console access ? > I'm not sure what you mean. Most of the console should already be secured. Do you have some specific urls in mind? > > > > Regards > > Siggi > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From alex at davz.net Wed Apr 30 15:05:09 2008 From: alex at davz.net (Alex Davies) Date: Wed, 30 Apr 2008 17:05:09 +0200 Subject: [Fedora-directory-users] FDS <-> AD: UID/GID and OU sync In-Reply-To: <481881EE.1010604@redhat.com> References: <5fb622120804300134j3281fd9fsa65e23df910aa4e9@mail.gmail.com> <481881EE.1010604@redhat.com> Message-ID: <5fb622120804300805t132d0628x872064fc3a48ad94@mail.gmail.com> Many thanks for your replies Rich! I look forward to those features appearing... On Wed, Apr 30, 2008 at 4:27 PM, Rich Megginson wrote: > Alex Davies wrote: > > > Hi All, > > > > We have an AD architecture setup, and are looking to sync FDS with > > this to allow us to authenticate Linux machines and network devices. > > > > We have two AD domains, and have a winsync and passsync setup with one > > of the domain controllers in each domain. This works, subject to the > > limitation that we have to manually create each OU. Once we create the > > OU in FDS, the users appear at the next sync. Question 1: is it > > possible to automatically sync *all* OU's, including creating the OU > > in FDS if it does not exist? We have hundreds of OUs, and I don't want > > to have to create them all manually. > > > > > Not sure. But I suppose it could be scripted if the init AD sync process > does not create them. > > > > Question 2 is on UNIX UID/GID sync from AD. I've found a couple of > > posts which imply that it is not possible to sync UID/GUD from AD[1], > > > > > That is correct. > > > > but this was some time ago. An alternative piece of documentation > > suggests that it is,but provides no details[2]. > > > It just says that you can have the directory server automatically assign > uidNumber and gidNumber. It doesn't say anything about AD sync. > > > > I'm also struggling > > to find documentation on the libdna plugin, which I believe is > > involved[3]. > > > > > We're working on it. > > > > My questions are > > - Is it possible to sync UID/GID from AD (where AD has the Unix Tools > > installed, and therefore has these attributes in the schema). > > > > > No, not yet. We have to add support for the posix schema to our AD sync > mechanism. This is on the roadmap. > > > > - Is it possible to automatically apply a unique UID/GID to each user > > that does not have a UID/GID? > > > > > Not after the fact. You'll have to write a script to do that. > > > > > Any help/pointers greatly appreciated. > > > > Many thanks, > > > > Alex > > > > > > [1] > http://www.redhat.com/archives/fedora-directory-users/2007-February/msg00111.html > > [2] "Fedora DS gets posix/unix automatic uid generation (February 08, > 2007) > > The cvs head now contains a new feature for automatic generation of > > sequenced numbers which is compatible with multi-master replication > > environments. This feature can be used for automatic generation of > > posix uidNumber and gidNumber in addition to other sequenced numeric > > attributes required by your deployment. " > > http://directory.fedoraproject.org/ > > [3] About the only referenceI can find: > > > http://www.redhat.com/archives/fedora-directory-users/2008-January/msg00081.html > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- Alex Davies This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender immediately by e-mail and delete this e-mail permanently. From siggi at betware.com Wed Apr 30 15:53:09 2008 From: siggi at betware.com (=?iso-8859-1?Q?Sigur=F0ur_Bjarnason?=) Date: Wed, 30 Apr 2008 15:53:09 +0000 Subject: [Fedora-directory-users] Express web console In-Reply-To: <48188217.6040505@redhat.com> References: , <48188217.6040505@redhat.com> Message-ID: Yes, I would like to secure the front page, so you have to type in the password before you get the first page, The page the list up all the pages etc .. regards Siggi ________________________________________ From: fedora-directory-users-bounces at redhat.com [fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson [rmeggins at redhat.com] Sent: Wednesday, April 30, 2008 2:28 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Express web console Sigur?ur Bjarnason wrote: > > Hi All > > > > Is there any way of securing the directory express console with > htaccess without effects to the Fedora gui console access ? > I'm not sure what you mean. Most of the console should already be secured. Do you have some specific urls in mind? > > > > Regards > > Siggi > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Wed Apr 30 16:04:46 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 30 Apr 2008 10:04:46 -0600 Subject: [Fedora-directory-users] Express web console In-Reply-To: References: , <48188217.6040505@redhat.com> Message-ID: <4818989E.9060101@redhat.com> Sigur?ur Bjarnason wrote: > Yes, > > I would like to secure the front page, so you have to type in the password before you get the first page, The page the list up all the pages etc .. > That page is /usr/share/dirsrv/html/admserv.html. It is generated by the CGI URL /dist/download. I'm not sure how htaccess works - see /etc/dirsrv/admin-serv/admserv.conf for more information. > regards > Siggi > > ________________________________________ > From: fedora-directory-users-bounces at redhat.com [fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson [rmeggins at redhat.com] > Sent: Wednesday, April 30, 2008 2:28 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Express web console > > Sigur?ur Bjarnason wrote: > >> Hi All >> >> >> >> Is there any way of securing the directory express console with >> htaccess without effects to the Fedora gui console access ? >> >> > I'm not sure what you mean. Most of the console should already be > secured. Do you have some specific urls in mind? > >> >> Regards >> >> Siggi >> >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: